Hi Craig, > > Are you in any way interested to see portsentry included in the next > > official debian release. I(but not just me) would really like to include > > portsentry into the upcoming release(potato), but this would require some > > rather small changes in the copyright to meet the debian policy. > > I would love for this to happen. The main problem is the license. My > software is not GNU/BSD. This is for a variety of reasons: > > 1) I need to ensure code integrity because of the nature of the tool. If a > person makes a change to the code that seriously hurts security it > reflects poorly on me. I've had some patch submissions that did exactly > that (one even introduced a remote root exploit!!). I need to ensure that > I maintain control over all versions where possible.
This is a substantial concern, and one which I think others have also faced. One solution which seems to work well is to keep the PortSentry name a certification mark belonging to you, and subject to your approval for use. On the other hand, you can allow unapproved patches to be made to PortSentry on the conditions that: 1) Source patches be packaged separately from the official source (not preferred); and/or that 2) Binary distribution of derivatives be clearly marked as "Derived from PortSentry." > 2) I work for Cisco Systems Inc. and specifically do development work on > intrusion detection and vulnerability assessment tools > (NetRanger/NetSonar). I need to make sure nobody bundles all my tools > together and sells them separately. This is a conflict of interest and > could get me fired. My employment contract specifically excludes my tools > to protect myself and my end users, but I don't want to stir up any > problems where none exist. Well, I cannot comment on the specifics of your employment contract, of course. But it seems to me that if you use a GPL-type license which requires that PortSentry be distributed with source code, or with an offer to provide source code, and that all such distribution be made under your license which ensures that there is no misunderstanding as to the free nature of the software, you should be fine. But if you are concerned about this, why not discuss it with Cisco's legal department? They may be very happy to get some good press out of this, so long as their proprietary IP is not compromised. > I would be happy to discuss these issues directly with anyone from the > Debian team. Perhaps a compromise can be reached somehow. You can see from > the license that I want to encourage the free OS's to use the tools > because of the value they have given to me. I'm very flexible in many > respects to this and I need to think about the entire issue some more to > decide what to do. Perhaps the person from Debian who is responsible for > this decision can write me so we can chat? Debian isn't quite so organized as that - as a completely volunteer organization, we all contribute as we can. Most decisions of this nature tend to be a matter of consensus. What is certain is that in order for PortSentry to be included in Debian's main distribution, it must not prevent modification or sale. This, however, does not prevent you from making restrictions upon the use of your name or that of your product. Hopefully, this will give you some room to find a solution which respects your interests fully, while further benefitting the open source community.
