-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPSL License Improvements #2199
Comments
Hi Ulrich. Thanks for posting your feedback. We aren't licensing or copyright experts, but we want the NPSL to be an improvement over the previous license (which also had problems). Regarding your three points:
I'm changing this issue title to something more actionable so I can assign it to myself and add it to our ProjectBoard for the next release. If anyone else has comments or suggestions regarding the NPSL, feel free to post them here as well. For the next Nmap release, we at least want to have the Section 0 thing fixed, but we're also considering bigger changes or even move to another license if we find ones that meet our needs well. |
This is not an attempt at thread hijacking, it's just a question regarding this license change. I'm the one that brought this up for NixOS. But something that I haven't seen discussed anywhere really is if the nmap project actually could change the license to begin with.
So I'm questioning both if this new license is free software, just as this thread is about. But I'm also questioning if this license change is legal to begin with. |
Hi @etu . Good question. Yes, we do have more than 100 signed copyright assignment contracts from major developers (everyone we have paid), and those probably represent at least 95% of the code changes in recent years. We don't do signed contracts for one-off small code contributions, but we do make it very clear that we only accept the code on the condition that the contributor is offering us full rights to relicense the code in our work. The text of the previous license included:
This note is also on the top of every source code file, in the man page, HACKING file, etc. We have been offering Nmap under different licenses to customers for more than 20 years so it has always been important that we can relicense code contributions. This is how we fund the project and pay developers. We have also made many changes to the open source Nmap license over the years. We also repeatedly discussed and solicited comments on the NPSL on the Nmap development list before it was ever applied to the code. If any Nmap contributor has concerns about the license, we'd be happy to hear their thoughts. Finding the right license is tough. |
Another problematic section in the license is that it claims that the GNU GPL defines the terms:
But there are terms that directly conflict with the GNU GPL (some mentioned above), which prohibits adding terms that would put future restrictions on the user of the software. See section 6 of the GNU GPL:
The text is hard to understand which license is applicable (GNU GPLv2 or the NPSL, because it cannot be both). Wouldn't it be better to choose a plain free software license that is approved by the FSF and the OSI? |
@ams - The GPLv2 section about not adding further restrictions to the GPL means that if you receive code under the GPLv2, you can't add any further restrictions when you redistribute that code. This means, for example, that we can't take GPL code from 3rd parties and put it under the NPSL. So we can't and don't put GPLv2 code from 3rd parties into Nmap. And NPSL code cannot be integrated into GPLv2 programs. They aren't compatible licenses. The FSF does allows people to create new licenses based on GPL text (even if the new licenses aren't GPL-compatible), which is what we have done with the NPSL. Regarding cases where the NPSL main body license text conflicts with the GPLv2 text in Exhibit A, Section 2 says that "Where the terms in this Main License Body conflict in any way with the GPL, the Main License Body terms shall take precedence." The license also clearly states that it is not GPLv2 compatible. I agree that it would be cleaner to rewrite the NPSL so it doesn't depend on the GPLv2 Exhibit and has all the key terms in the main body itself. And it would be cleaner still to just use an existing well-written license as you suggest. We will be looking into those options, but we have a lot of other work on our plate too. The NPSL terms are not very different than the previous license (which was also based on GPLv2 but with various exceptions and clarifications which made it not-GPLv2-compatible). I think giving the NPSL its own names makes it more clear that it is under its own GPLv2-incompatible license so there is less confusion. And I think some of the terms are improved from the old license and that we can fix regressions such as the Section 0 problem that @ulm pointed out. Our main goal with the license, in case it's not clear, is to allow unlimited free use of Nmap by end users (including commercial use), while charging companies who want to build and sell commercial products on top of Nmap through our Nmap OEM program. The goal has been to avoid the much more common tact of having a "free version" with limitations and then a non-free pro version with extra features. So we need to either have a license which supports the current business model, or switch to a different business model, or give up on a business model and lay off the developers who are currently working full time improving Nmap. So we're trying to find the best balance for everyone. We are also hoping to hire another full time developer next year. I hope this helps. If anyone wants to recommend a great copyright lawyer with open source experience that we could hire to consult on these matters and potentially help draft a new license, please email me at fyodor@nmap.org. Cheers! |
Regarding cases where the NPSL main body license text conflicts
with the GPLv2 text in Exhibit A, Section 2 says that "Where the
terms in this Main License Body conflict in any way with the GPL,
the Main License Body terms shall take precedence." The license
also clearly states that it is not GPLv2 compatible.
I'll leave out the interpretation of section 6, which I do not believe
is the correct one here. A more pressing question, I think, is if
nmap is free software or not at this point?
Our main goal with the license, in case it's not clear, is to allow
unlimited free use of Nmap by end users (including commercial use),
while charging companies who want to build and sell commercial
products on top of Nmap through our Nmap OEM program.
Does that mean that nmap is intented to be non-free software
(www.gnu.org/philosophy/free-sw.html)? Freedom zero means that anyone
can use a program for any purpose, including building and selling
commercial products with it which seems to conflict with the above.
I hope this helps. If anyone wants to recommend a great copyright
lawyer with open source experience that we could hire to consult on
these matters and potentially help draft a new license, please
email me at ***@***.***
Maybe the FSF License and Compliance Lab could help you: legal@fsf.org
|
Modifying the GNU GPLv2 for your own purposes also brings along the possible issue that the license itself is licensed under the "verbatim license":
|
@AI0867 - That is a good point, but the FSF does allow folks to make modified licenses based on the GPL. It's in their FAQ. Also, the copy of the GPL that we include as Exhibit A in the NPSL is verbatim except that we cut out the "How to Apply These Terms to Your New Programs" section as the FSF requests in their FAQ entry. That section would be confusing in this context. We have worked closely with the FSF in the past, donationed to them, and greatly respect them. If the FSF ever tells us that they don't want us including the GPL license in the NPSL in this way, we will change it ASAP. |
@fyodor, could you clarify if the intent of nmap is to be free
software or not?
GNU/Linux and BSD distribution need clarification on this point
because they might or might not be able to distribute nmap anymore or
have to recategorize where it resides.
The NPSL clearly has terms that make it incompatible with both the
Free Software and Open Source Definition, @fyodor also acknowledges
this point that the intent is to limit who can use nmap.
But nmap advertises it self as a "free and open source", and the
license preamble says that it should be "compliant with the Open
Source Definition" -- it definitly is not. So this is all confusing
and conflicting.
|
@fyodor Would it be possible to get a clarification? The only choice GNU/Linux have right now is to remove nmap from their distributions or mark it as non-free software. |
@fyodor An idea that might be worth trying if feasible is reaching out to the EFF as I'm sure they could help |
It sounds to me like section 0 (preamble) is the only one mentioned in this bug description that actually prevents this software from being FLOSS, and that it also probably differs from its intended meaning, which I think also likely differs from @fyodor's explanation of its intended meaning. (Perhaps section 3 can be interpreted as "not FLOSS" as well, but at least it's not new and had previously been accepted, so I'm addressing the "what actually turned this license non-FLOSS" question.) The license speaks about usage by "proprietary software companies", which does sound like field restriction to me (for instance, "proprietary software company" can include software companies that are owned by someone or a body of people (AFAIK, any software company fits this interpretation), or (more reasonably) it could mean a company that creates software and licenses as proprietary, but that only use nmap as part of FLOSS-licensed software they distribute.
I'd like to suggest (and @fyodor please correct me if this is mistaken), that what was actually meant here, is "while charging companies who want to build and sell proprietary commercial products". In which case, all that's really needed here AFAICT is clearer language to say the intended thing. Perhaps simply moving the word "proprietary", as: " I think that phrasing still has a problem with the word "use", though. AIUI a program can't be Free/open if it restricts execution by another program (this is different from linking, of course). But perhaps my understanding there is inaccurate. |
@micahcowan - Thanks for your suggestions. Yes, our intent of that section is to simply explain that because the NPSL terms do not allow inclusion within proprietary software, "proprietary software vendors" (like anyone else) would have to purchase the Nmap OEM license to include it within their proprietary software. If a "proprietary software vendor" also releases free software in compliance with the NPSL, that is great and we certainly don't want or mean to take away that right from them. We do understand how the wording is problematic and we are planning to rewrite this before the next Nmap release. |
I believe the "proprietary software vendor" clause is a needless complication. Wouldn't it be simpler to put the code under a normal copyleft license and indicate to interested parties (outside the text of the copyleft license) that they can purchase a proprietary license from you? If you have the right to relicense 100% of the code as stated above, then you can do this dual-license scheme. The end result is that |
What about GPL-3.0-or-later? Does that license achieve what you are trying to do? |
I agree completely.
I don't think this is quite correct, however. Shouldn't "non-copyleft" be substituted for "proprietary?" I don't see that as a problem, but it's an important distinction. |
Fedora has determined NPSL 0.92 is not permitted based largely on the "Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license" text. This constitutes a field of endeavor restriction in our judgment, which is contrary to part 6 of the Open Source Definition. I understand that this is not the intent. If the text is updated in the future, it can be considered for inclusion in Fedora. |
This reverts commit 2323a71. The new license has been deemed non-free by Fedora [1] and there has not yet been a statement by the FSF claiming otherwise. See also [2]. [1] nmap/nmap#2199 [2] https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html
An issue to consider which likely will make lawyers tell their companies to avoid this software is that "Proprietary software Company" is not a defined term in the License. As there is not widely accepted legal definition of proprietary in this context, "Proprietary software Company" must read no differently than "Software Company". Use a well established license without modifications or get a lawyer specializing in copyright and software licensing to write it for you. |
I should also mention, are there any authors for nmap that licensed their contributions as GPL-2.0-only? If so, that could make it hard to relicense nmap under GPL-3.0-or-later. Or as I might suspect, not using GPL-3.0 is likely for making nmap friendlier to companies that avoid GPL-3.0 licensed programs (presumably for its anti-Tivoization clauses). |
Relicensing under GPL-3.0-or-later can't be any harder than relicensing under NPSL 0.92 which already happened. |
nmap >= 7.90 is distributed under a modified license nmap/nmap#2199 Gentoo bug: https://bugs.gentoo.org/749390 Debian bug: https://bugs.debian.org/972216 Guix discussion: https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html
nmap >= 7.90 is distributed under a modified license that many consider problematic. nmap/nmap#2199 Gentoo bug: https://bugs.gentoo.org/749390 Debian bug: https://bugs.debian.org/972216 Guix discussion: https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html Along, link against libssh2 instead of using the bundled version.
nmap >= 7.90 is distributed under a modified license that many consider problematic. nmap/nmap#2199 Gentoo bug: https://bugs.gentoo.org/749390 Debian bug: https://bugs.debian.org/972216 Guix discussion: https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html Along, link against libssh2 instead of using the bundled version.
Just joining the party here. Void Linux has also made the decision to roll back to the last version that had a clear licensing scheme and to bar further upgrades to the package until this is resolved. Since we roughly track Debian and Fedora for handling of unclear licensing we are prepared to drop the package from our main collection and move it to our nonfree repository if the ultimate decision is to retain the NPSL instead of a recognized copyleft license. Though we're a smaller project, I believe its worth sharing this as a data point. My 2c as well as a developer distinct from void is that relicensing is a major change, and was probably worth bumping the left most number, but that's of course a matter of opinion. |
I would like to get clarification about the
Thinking specifically about these parts:
Does this mean that any software which calls and parses nmap's output[0] should be licensed under the NPSL? Because if that's the case, I assume there are quite a considerable number of projects in breach of that, and it might not be the intention of nmap developers. On Debian [1][2], this seems to be the main point in discussing whether the license is DFSG-free or not, I understand the GPL impose similar restrictions, but they're a bit less strict. [0] Surely with the exception of the cases listed there: "typical shell or execution-menu apps, which |
Hi @samueloph . Good questions and thanks for the links. There are many Nmap frontends and parsers which have different licenses, and we support that. They don't generally need to be "NPSL compliant" because they don't need the special rights that would give them (being able to redistribute Nmap as part of their software). Free software projects are usually fine with the idea that the user already has or will obtain Nmap themselves. There are also expensive proprietary products which include Nmap parsers (for inputting your own Nmap scan results into the product) and we don't complain about those either. It's an interoperability feature. The main purpose of this section of the NPSL license is to restrict companies from selling proprietary products which include Nmap and for which Nmap is doing much of the work. They often don't even disclose to the users that Nmap is there. We feel that companies selling products based on Nmap should be contributing back by purchasing an Nmap OEM License. This in turn allows the Nmap Project to pay developers. And it helps the Nmap OEM customers too by ensuring the sustainability and active development of the software they are using in their products. And we provide other important OEM benefits like commercial support and indemnification. All that being said, we agree with many of the criticisms in this thread. We've made a number of small license changes to address people's specific concern, but I don't think that's enough. I'm hoping we can find an existing accepted license which meets our needs. But failing that, I think we should rewrite the NPSL so it doesn't reference the GPLv2 at all. We've added this to our roadmap, but it's a bigger project than it sounds because we need to better understanding and define our licensing goals and needs before we can choose the best approach to meet them. Much of the current license is structured to support our unusual "business model", but maybe we'd be better off just changing the model. Also we're currently in the midst of a lot of exciting Nmap technical development. Still I believe we'll be able to find and implement a solution to this in 2023. We did offer Nmap 7.90, 7.91, and 7.92 under the "old license" as an alternative for distributions and people who prefer that. But distros mostly seemed to stick with the old version of Nmap (under that same old license) instead. So we didn't bother doing that with 7.93. But we're open to that if any major distro feels that it would help them incorporate Nmap 7.93. We're also open to more specific small changes to the NPSL text like we did earlier in this thread to address specific distribution complaints. |
Apologies for missing this before - for some reason (it was in October, so I can't recall exactly) I didn't update LICENSE with the 7.93 bump (perhaps thought the issue wasn't resolved b/c upstream bug still open...?) Bug: nmap/nmap#2199 Signed-off-by: Sam James <sam@gentoo.org>
Apologies for missing this before - for some reason (it was in October, so I can't recall exactly) I didn't update LICENSE with the 7.93 bump (perhaps thought the issue wasn't resolved b/c upstream bug still open...?) Bug: nmap/nmap#2199 Signed-off-by: Sam James <sam@gentoo.org>
Apologies for missing this before - for some reason (it was in October, so I can't recall exactly) I didn't update LICENSE with the 7.93 bump (perhaps thought the issue wasn't resolved b/c upstream bug still open...?) Bug: nmap/nmap#2199 Signed-off-by: Sam James <sam@gentoo.org>
I'm sorry for missing this part before. It would definitely help us in Gentoo. We have 7.93 in Gentoo but not available by default. Note that Debian have packaged up to 7.92 as well, so I think it did end up being helpful in the end. |
Thanks for the update, @thesamesam! We still plan to address this in a better way this year, but I'm glad Gentoo and Debian have been able to upgrade to later versions anyway. |
I should clarify that on Debian's side it's still unclear whether the NPSL license is DFSG-free or not, I've opened a bug report asking for the ftp-master team to evaluate (the bug got closed by accident but I've reopened it): It turns out the discussion became about the older versions of the NPSL license too, it's not anymore only about the recent changes (I think this has been pointed out in this thread before). I don't know when ftp-master will be able to reply, but I'm hoping it will be in the next months, since the new Debian stable release is getting close. And as @thesamesam mentioned, even though the discussion is now about NPSL in general and not only about the new version of it, the exception made by the nmap team to allow people to use nmap up to 7.92 with the old version of NPSL was really helpful at that time. Now that the discussion seems to be more around NPSL (and not its recent changes), I'm considering packaging 7.93. Whatever the decision on Debian side is, it will probably not change by the difference in the license between 7.92 and 7.93. By the time 7.93 reaches stable, there should be something that I can refer to and I can take any needed action. I have to say this whole thing has became the source of some very interesting discussions, and has broaden my understanding of free software in general, even though it's a bit time consuming and stressful (for everyone involved). [0] This helped at that time of uncertainty, but now that there seems to be a better understanding of the whole thing (basically that we need to re-evaluate NPSL against DFSG), the same exception wouldn't help anymore. |
Thanks @samueloph. And we remain open to making further changes to the NPSL if there are specific issues preventing it from being considered DFSG-free. We just don't want to do (another) major license overhaul right now since we're already planning to do that later this year in consultation with major stakeholders. The goal will be switching to an existing free software license (preferred) or at least redrafting NPSL so that it's not based on GPLv2 the way it is now. |
After further review of the NPSL (Version 0.94), I can see how it could be construed as burdening Nmap-related software such as shell scripts, GUIs, and language-specific parsers that may be free software which doesn't ship with Nmap and doesn't need the extra rights granted by the NPSL (such as redistribution rights). The type of software mentioned by @samueloph at #2199 (comment). That was never our intention, but we just released NPSL Version 0.95 (annotated HTML version and pure license text) to further clarify that the NPSL is not meant to contaminate other software packages which are separate works that don't incorporate Nmap source code or executables. Thie updated Article 3 (Derivative works) notes that the derivative works definitions and all the other terms only apply to works which "choose to accept this license to benefit from the rights granted herein". It also includes this new paragraph:
A bunch of further clarification was added to the annotated HTML version, including the note that "General purpose Linux distributions which happen to offer both Nmap and 3rd party packages described above for users to choose from are covered by the "mere aggregation" clause of the GPLv2." Also I fixed a CSS problem which was preventing the annotations on the annotated HTML version from showing up in shaded boxes to clearly differentiate them from the actual license text. I hope this helps. Just let me know if you have any questions or concerns. |
Does this retroactively apply to already released nmap versions? The nmap-7.93 tarball comes with NPSL 0.94 in its |
Great point, @ulm. We plan to release Nmap Version 7.94 with the new license (and many other improvements) fairly soon, but I've also just added a note to the Changelog that "Versions of Nmap released under previous versions of the NPSL may also be used under the NPSL 0.95 terms." |
Any updated on when this will be resolved? Nmap is still in the blacklist for parabola (FSDG GNU/Linux Distro) at the moment. When its resolved i will inform them so they can unblacklist it. |
Hi @JamesClarke7283 . The part you quoted was resolved (we released Nmap Version 7.94 with the new and improved Nmap Public Source License (NPSL) Version 0.95 as promised. As for whether it resolves the license issue to Parabola's satisfaction, I don't know. The Parabola page you reference says "the FSF considers the v7.9x license to be non-free" but I think they're referring to a license wording "defect" claimed by the FSF's on Jan 8, 2021 that we fixed four days later. If Parabola is going to claim that the FSF objects to the current NPSL, they should cite their source. |
The NPSL version 0.95 is still a non-free software license, and a non-open source license. Nothing has changed in that regard. From https://nmap.org/npsl/npsl-annotated.html, there is really nothing to clarify.
|
@fyodor The FSF has not endorsed the NPSL. See my above comment on the matter. |
@TechnologyClassroom. Yeah, I'm not saying the FSF has endorsed the NPSL either. Just that if folks (like Parabola) are going to claim that "the FSF considers the v7.9x license to be non-free", they should cite an actual FSF source for that claim. Just like anyone claiming that the FSF endorses the NPSL license should also be able to back that up. |
Once again, there is no need for the FSF to explicitly state anything. It is beyond clear that the current NMap license is a non-free software license. E.g., from the NMap OEM license page: Redistribution rights—The free Nmap license does not allow redistribution or use of Nmap within proprietary hardware or software products, but an Nmap OEM License allows for unlimited redistribution either within a product line or across the whole company's product portfolio. Maybe you could address the free software and open source community directly about what the intention is. I asked this several years ago in this thread to resounding silence. I also requested a NMap version under the GNU GPL as per the NMap license page for use the GNU system, but also to silence. |
@ams - I disagree but I'm not going to keep arguing the same points over and over with you. We've been doing that for more than three years already. I'm glad you've had your say, but it's enough. I'm not deleting any of your existing comments, but am blocking future ones since you've already made your points here so many times. |
I have looked at the terms, again and found some conflicts that don't align with the Open Source Definition:
With these above points, i think as @ams has said, this is still a proprietary license, even if its not your intention. just that it looks similar to a free license. @fyodor when do you plan to resolve these conflicts? |
the FSF have already given a statement on the previous license, for this reason parabola donesn't need to cite this. More discussion on the GNU mailing list is here If you want an updated statement on the license as @TechnologyClassroom has said in their comment, you need to email their licensing team for them to review it. But i personally think that it won't be worth doing that until you are confident @fyodor, that the issues are resolved by this new license. the email is licensing@gnu.org |
It is not clear that the NPSL license has been reviewed by the FSF. Just to clarify again, FSF's Free Software Directory is largely run by volunteers. The mailing list entry is from Bill who leads the Parabola project and is not FSF staff. The history page for the cited source lists two editors for that page. One of which (Donaldr3) is former FSF licensing team staff. They said these statements:
I also want to point out to AMS' point there is an article by RMS about selling exceptions which can be done with the GPL licenses. Selling exceptions does not inherently make a project nonfree, but it is odd that it is included within the text of the license IMO. I share this because it is not a commonly known page and I believe the protections with GPL-3.0-or-later or AGPL-3.0-or-later are what you are after with the intent of the NPSL. |
Here is a sticky one for you. I'm a Technical Account Manager with Red Hat supporting Red Hat's largest customers. This landed in my lap yesterday. The explanation in the annotated NPSL says,
Fair enough. But it opens a can of worms. And now it's under a microscope. Red Hat distributes Red Hat Enterprise Linux (RHEL), which includes nmap. Red Hat's customers might package RHEL into appliances, or resell RHEL as part of some other offering, which likely includes proprietary pieces. Other Linux distributions probably do the same thing. Seems to me, if we follow NPSL to its logical conclusion, it means we can no longer package Nmap with Linux distributions. I doubt anyone likes that conclusion. This thread is 5 years old. Let's find a way that supports the Nmap business model and works for everyone.
|
Hi @dgregscott . Thanks for your comments. We consider RHEL's redistribution of Nmap to be "mere aggregation" of Nmap with all the other packages you distribute. The NPSL restrictions are for "derivative works" as defined in Section 3. If someone "resells RHEL as part of some other offering, which likely includes proprietary pieces" then the Nmap part is still mere aggregation and not a NPSL violation as long as the "proprietary pieces" aren't using Nmap so intimately that they would be considered a derivative work of Nmap. And if a company is selling a proprietary Nmap derivative, requiring them to contribute to the project by purchasing an Nmap OEM redistribution license is an intentional NPSL license goal. The idea is that companies selling products derived from Nmap should pitch in to support the Nmap Project itself. Hundreds of companies already do, and it's how we hire full-time developers to work on Nmap and Npcap. And our customers (along with millions of free users) in turn benefit from our constant Nmap improvements. For example we just released Nmap 7.95 last month. This is similar to the way RedHat has engineered things so that RHEL users generally have to buy a subscription. While the NPSL is fairly unique, this situation is similar to many other packages in RHEL. For example RHEL includes many software libraries that are licensed under GPLv2. RHEL can do that under the "mere aggregation" clause and so can RHEL resellers if they are also doing mere aggregation. But if they link their own proprietary software to those GPLv2 libraries that are part of RHEL, they would be violating the license if they don't receive special permission from the copyright holders. In the case of Nmap, our OEM redistribution license serves as that special permission. And since Nmap isn't a library, the NPSL explicitly defines derivative works more broadly to cover the ways that proprietary software typically builds on top of Nmap (executing Nmap and parsing the results). This is similar to the way the AGPL is often used for software that is typically offered as a network service rather than a library or downloaded executable. I hope this helps. We are keeping this issue open because still plan to re-evaluate the Nmap license and ditch or improve the NPSL, but we are a very small organization and are always juggling many other important project priorities as well. |
openSUSE moved nmap to non-free: https://bugzilla.opensuse.org/show_bug.cgi?id=1211571 |
Fedora has reviewed NPSL 0.95 and concluded it is "not-allowed". In part due to confusion caused by this succession of Nmap licenses, it appears Fedora is currently distributing versions of Nmap under this license (with inaccurate license metadata). This is an error and I'll look into figuring out how to correct this. Fedora bugzilla filed: https://bugzilla.redhat.com/show_bug.cgi?id=2296006 FWIW, the main problems I identified in reviewing NPSL 0.95 were the "External Deployment" badgeware-ish provision and the section redefining "Derivative Works". I viewed this version of the license text: https://github.com/nmap/nmap/blob/47919b8dac98ad0f2639018e2b99ea3ad6b5e70a/LICENSE |
Thanks for your detailed review, @richardfontana . We will keep your points in mind as we re-evaluate the Nmap license with the goal of ditching or improving the NPSL. We definitely want to get rid of the "based on the GPLv2" aspect, and it will be even better if we can switch to an already-widely-approved existing license rather than writing our own. Just to properly set expectations: This license restructuring is an important project on our roadmap, but we're currently focused on some exciting technical improvements for the next release. If any distributions feel that they have to put Nmap in their "nonfree" section or even stop distributing it in the meantime, we understand that and respect whatever acceptable license policies they choose for themselves. |
Update: Fedora has now classified all known Nmap licenses as "not-allowed", but the pre-NPSL one that takes the form of a GPLv2 gloss will be permitted under a policy exception. |
Thanks @richardfontana. If it would be helpful for us to dual-license the latest Nmap 7.95 under the pre-NPSL license so you can use it under your policy exception, just let me know and we will do so. |
Reporting this issue on behalf of the Gentoo licenses team. It has been brought to our attention that nmap-7.90 and later is distributed under updated license terms. We see several clauses in version 0.92 of the Nmap Public Source License as problematic, to the point where we can no longer consider it as a FLOSS license. Therefore, it is license-masked, i.e., with the default distro-wide settings, Gentoo users won't be able to install the latest version of nmap.
In particular:
This won't allow "proprietary software companies" to use or incorporate the software within their programs (i.e., create a derivative work), even if the resulting work was distributed under a free software license. Essentially this is a non-commercial restriction and as such directly violates the Open Source Definition, section 6 "No discrimination against fields of endeavor".
This type of language is typically found in an EULA but not in a FLOSS license. If I download the software from a third party (like Github or a distro mirror), I won't enter into any contract with either Insecure.Com LLC or the third party. Therefore nothing forces me to accept the license unless I would do any actions (like redistributing) that are covered by copyright law. Also, in the typical case, I won't even have the chance to read the license before downloading.
We're aware that this point existed in previous versions of the license, but we still find it somewhat problematic. For example, it would make GNU coreutils a derived work of nmap because its programs can read those files, e.g., "cat /usr/share/nmap/nmap-os-db".
Gentoo bug: https://bugs.gentoo.org/749390
Debian bug: https://bugs.debian.org/972216
Guix discussion: https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html
The text was updated successfully, but these errors were encountered: