-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pwntools has GPL Dependencies, is not Pure MIT #672
Comments
I agree that this is a good change, however I do not have the time to work on it. |
Not a rush, but we'd like to eventually look into adding pwntools to the default Binary Ninja install which might have prompted this investigation. When we get more serious about it (lots of other things we're working on first unfortunately) if no progress has made I'll submit some PRs. Thanks for putting the list together, @zachriggle it's good to see what would need to change and gives me a good idea of the scope of what's left. Some additional context about whether constants are covered under copyright (https://books.google.com/books?id=89-B1pTiPw8C&pg=PA88&lpg=PA88&dq=are+constants+copyrightable&source=bl&ots=EEuIgPnwL1&sig=nqPAe_GO219C44c-j3WSGY0w46c&hl=en&sa=X&ved=0ahUKEwjK6L2Si8_OAhWFTSYKHQ5oBXkQ6AEITjAH#v=onepage&q=are%20constants%20copyrightable&f=false) I'd definitely say it's easiest to just ask the authors their interpretation as that tends to be the easiest way to be safe. |
It also looks like we need to figure out the license status of all of our Pip dependencies -- recursively. I'm not sure of a good way to do this. |
I created a small utility to recursively check licenses: https://github.com/zachriggle/license_check From the output of the utility below, we should be OK except for
|
@psifertex can you verify my conclusion about the dependencies above? |
It looks like Angr has an amicable license, but some of its minor dependencies are GPL. I've requested license addendums from @zardus for
|
I've updated ana, cooldict, idalink, and mulpyplexer to BSD. However, VEX is GPL, and angr relies on it for binary translation. We're currently in the process of making the binary translation backends pluggable (which would allow something else to be used in the place of VEX when necessary), but that is not yet done. |
Thanks so much, @zardus! Are the VEX dependencies on the language, or on a pre-existing implementation? |
PyVEX is a python wrapper around VEX (in fact, we've licensed the C part of it, https://github.com/angr/pyvex/tree/master/pyvex_c, as GPL). The C part of it absolutely depends on a pre-existing implementation. The Python part of pyvex loads the shared object and translates the result to python (the "language", you could say), and the rest of angr purely uses this "language". An easy "license firewall" would be to make a quick "pyvex server" and have pyvex ship the translated VEX results (Python objects) over rpyc to the process running angr, when licensing is important. It'd slow things down, but might not be too bad with proper caching (although, to be honest, the ROP analysis is going to suffer the worst performance penalty, by far). By my understanding, this should isolate the GPL and non-GPL components properly, and we can probably knock something like that out fairly quickly. |
Bummer. I expect VEX goes all the way back up to Valgrind, which is not likely to be relicensed ;-) I don't know how much process separation gets us -- the issue comes with distributing/using, IIRC. |
IANAL, but my understanding is that a commercial entity that distributes software containing GPL components only needs to distribute source for the GPL components themselves, with "GPL component" defined as anything that needs to link against GPL code. If the "license firewall" works, then a distributor of angr would only need to provide the source code for VEX and PyVEX on demand. GPLv2 (which VEX uses), as far as I know, makes no restrictions on usage. Again, IANAL and I don't even play one on the internet. Just my understanding, which could be very wrong. |
Is it good for a BSD one? |
Or BSD, whichever. |
ROPgadget is now licensed under the BSD license: JonathanSalwan/ROPgadget@d0165b4 |
Pwntools' current mixed licensing (specifically including GPL'ed things) restricts its commercial usage.
Specifically, inclusion of any GPL code requires distribution of all code which uses it. A commercial product that wants to include Pwntools would be required to distribute their source for the commercial product.
We should remove all non-MIT-licensed source, and seek out MIT-licensed alternatives or derivatives.
In particular, we need to remove, or find a new source for the following sets of data. I have included a possible alternative for each.
pwnlib/data/crcsums.txt
pwnlib/data/useragents
pwnlib/data/includes/generator/linux
(i.e. DietLibc headers)The text was updated successfully, but these errors were encountered: