Bug#291658: nessus-plugins: non-free
severity 291658 normal retitle 291658 nessus-plugins: Some NASL plugins in release 2.2.2a (and later) are non-free thanks On Sat, Jan 22, 2005 at 08:26:39AM +0100, Florian Weimer wrote: Upstream claims that large parts of nessus-plugins has never been licensed under the GPL. The copyright status of many NASL scripts is indeed very unclear. This claim only applies to post-2.2.2a releases, as you can see from the COPYING license of all the ftp sources in nessus.org (pre-2.2.2a). Upstream (that is, Renaud Deraison) has not changed those. So they still apply. Moreover, the copyright status of the NASL scripts is not unclear (copyright holders are stated for all of the scripts). The license status, however, has changed for some of the NASL scripts in 2.2.2a (and 2.3). For previous releases the Nessus Script License = GPL. Debian currently distributes 2.2.2 BTW. The new upstream license does not give permission to redistribute, so it's not suitable for non-free either. Correct, the _new_ one, which does not apply retroactively to all other versions (note again that upstream has not changed the copyright statements in those). That's why I haven't packaged 2.2.2a yet. I will probably repackage that version with only a _very_ limited number of plugins and tell users to go and download them if they want the non-free scripts. In any case, if you are interested upstream has not contacted the writers of some NASL scripts (me included) before re-licensing them. So this relicensing might not even be valid in some cases, only for those plugins which are copyrighted by Tenable or Renaud (the majority, however As I said before for the 2.3 release I will repackage the NASL scripts and only provide in the archive those that have been determined to be free (i.e. GPL or BSD licensed). Regards Javier signature.asc Description: Digital signature
Bug#291658: nessus-plugins: non-free
* Javier Fernández-Sanguino Peña: Upstream claims that large parts of nessus-plugins has never been licensed under the GPL. The copyright status of many NASL scripts is indeed very unclear. This claim only applies to post-2.2.2a releases, as you can see from the COPYING license of all the ftp sources in nessus.org (pre-2.2.2a). Upstream (that is, Renaud Deraison) has not changed those. So they still apply. Tenable claims that the GPL has never applied to their plugins, only to the plugins that were explicitly released under the GPL. Moreover, the copyright status of the NASL scripts is not unclear (copyright holders are stated for all of the scripts). The license status, however, has changed for some of the NASL scripts in 2.2.2a (and 2.3). For previous releases the Nessus Script License = GPL. Debian currently distributes 2.2.2 BTW. From what information do you infer this? The plugins I'm most interested in are: # # (C) Tenable Network Security # # v1.2: use the same requests as MS checktool # v1.16: use one of eEye's request when a null session can't be established # (msrpc_dcom2.nasl) # # This script is (C) Tenable Network Security # 10/22/2003 updated by KK Liu 10/22/2003 # - check messenger service, if not on - exit # - check Windows OS # (messenger_ms03-043.nasl) # # (C) Renaud Deraison # (http_asn1_decoding.nasl) I doubt we can say for sure that these plugins were covered by the GPL, even though they are distributed in a tarball which happens to contain a COPYING file.
Bug#291658: nessus-plugins: non-free
On Sat, Jan 22, 2005 at 03:52:14PM +0100, Florian Weimer wrote: Tenable claims that the GPL has never applied to their plugins, only to the plugins that were explicitly released under the GPL. That claim is really not true, since the Nessus Script License was (until recently) equivalent to the GPL. All plugin developers (me included) have contributed stuff to plugins based on that. Licensing of plugins has been discussed previously in the nessus-plugins mailing lists, there was even a discussion back in 2001 when Renaud was considering changing its license, please read: http://archives.neohapsis.com/archives/apps/nessus/2001-q2/0434.html In that mail upstream (i.e. Renaud) explicitly says that the plugins are distributed through the GPL. From what information do you infer this? The plugins I'm most interested in are: (..) Those plugins are (c) Tenable or Renaud. Notice that there is no license statement in the source code and that they are distributed in 2.1.0 (in ftp.nessus.org) with a 'COPYING' file that states they _are_ GPLd. If upstream does want to relicense these plugins (which it can do, as it has (c) on them) then they should also repackage all of those available in the public ftp server. So far, they have not done such a thing. The license issues with the plugins are there, however, in the 2.2.2a and 2.3 release (not packaged in Debian). The plugins distributed with 2.3 have a different license (the new one Tenable's Public License) but that contradicts the license in the code of some of the plugins (both NASL scripts and .c plugins). It is also incompatible with the GPL and that makes some plugins status unclear (specifically .c plugins which are compiled with libnasl). Again, this applies to 2.3 and 2.2.2a, not to earlier releases. As for NASL scripts, here is the breakdown of licenses in 2.3: - BSD 1 - GPL 455 - Nessus Script License 5188 - UNLICENSED 295 This is not the first time upstream has changed a license to a package (check out OpenBSD's pf [1] and Xfree86) but, IMHO, license changes do not apply to whatever was distributed (and still is) with a different license. Copyright holders obviously can re-license stuff, but they've had no interest in doing it (as the public ftp shows). The situation of Nessus in Debian, whoever, could change if all the source code at ftp.nessus.org where to be relicensed (which is not the case yet). I just hope upstream will divide the nessus-plugins tar into a GPL and non-gpl archive to help distributions decide which part are or aren't distributable. Regards Javier [1] slashdot.org/article.pl?sid=01/06/25/1557213 signature.asc Description: Digital signature
Bug#291658: nessus-plugins: non-free
* Javier Fernández-Sanguino Peña: On Sat, Jan 22, 2005 at 03:52:14PM +0100, Florian Weimer wrote: Tenable claims that the GPL has never applied to their plugins, only to the plugins that were explicitly released under the GPL. That claim is really not true, since the Nessus Script License was (until recently) equivalent to the GPL. All plugin developers (me included) have contributed stuff to plugins based on that. Licensing of plugins has been discussed previously in the nessus-plugins mailing lists, there was even a discussion back in 2001 when Renaud was considering changing its license, please read: http://archives.neohapsis.com/archives/apps/nessus/2001-q2/0434.html Tenable Network Security claims this relicensing never happened for the plugins. (I've asked them.) Mere aggregation with GPL-covered works does not cause software to fall under the GPL automatically, so Debian is unfortunately on rather thin ice. 8-(
Bug#291658: nessus-plugins: non-free
Package: nessus-plugins Severity: serious Justification: Policy 2.2.1 Upstream claims that large parts of nessus-plugins has never been licensed under the GPL. The copyright status of many NASL scripts is indeed very unclear. The new upstream license does not give permission to redistribute, so it's not suitable for non-free either. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (800, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.11-rc1fw Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
