On 7/11/24 21:37, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 11:48 AM Neal Gompa <ngomp...@gmail.com> wrote:
On Thu, Jul 11, 2024 at 11:45 AM David Cantrell <dcantr...@redhat.com> wrote:
On 7/11/24 11:19 AM, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana <rfont...@redhat.com> wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell <dcantr...@redhat.com> wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately
referred to the license we are now calling `LicenseRef-NPSL-0.92`
(Callaway/Cotton "NPSL") but the license of Nmap changed several more
times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right?
Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let
Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood
what they were saying correctly) so that is a possibility. But clearly
not a long-term solution.
This idea makes me somewhat nervous. Why would Fedora get an exception and not
other distributors (or do other distributions also have exceptions)? And what
does that mean for the actual code or patches shared between distributions? I
think unless the license in the source actually changes, taking this route
would lead to problems.
Do we know if upstream is open to discussing relicensing to a well-known and
established open source license that would still offer the protections and
guarantees they want? That may not be possible. Reading the LicenseRef-Nmap
license I see a contributor agreement, lots of restrictions on derived works
and how those are licensed, a patent grant, explicit permission to link with
OpenSSL (thanks!), the license is governed by the laws of the State of
Washington (ok, sure), an advertising clause if you set up a web site to
execute nmap and display results -but then- the very next block says you don't
have permission to use the trade names, trademarks, service marks, or product
names.
Looking a bit further at Fedora downstreams, I do see that nmap is part of
RHEL. And has been since RHEL-3. Right now that's inherited via nmap's
inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a decision
to make. I suppose that's fine, we are talking about Fedora here. But we
would at least want RHEL to be aware if that change were to happen.
All the distributors that asked got the exception. I believe at one
point it was even publicly stated that everyone could do this without
requesting it after so many asked.
A further issue here is that many other distros seem to be assuming
that the iterations of the NPSL after the universally-condemned NPSL
0.92 (LicenseRef-NPSL-0.92) are all nonproblematic. I am not sure what
this is based on beyond a well-meaning impulse to believe that any
change to NPSL 0.92 must have been good enough.
Yes. Also, if every distribution that requested the exception got the
exception why does this license even need to exist? If granting
exceptions is normal but also allowing continued use of NPSL could lead
to unusual and/or unresolvable situations with downstream modifications
being under an NPSL variant or under _what_ for those granted an exception.
Fedora can't be parked on nmap 7.92 forever, which is why I go back to
removal from Fedora unless a subset of us want to have a conversation
with upstream about licensing and try to get nmap under more acceptable
terms.
--
David Cantrell <dcantr...@redhat.com>
Red Hat, Inc. | Boston, MA | EST5EDT
--
_______________________________________________
legal mailing list -- legal@lists.fedoraproject.org
To unsubscribe send an email to legal-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
