On Thu, Jul 11, 2024 at 11:48 AM Neal Gompa ngompa13@gmail.com wrote:
On Thu, Jul 11, 2024 at 11:45 AM David Cantrell dcantrell@redhat.com wrote:
On 7/11/24 11:19 AM, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana rfontana@redhat.com wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell dcantrell@redhat.com wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately referred to the license we are now calling `LicenseRef-NPSL-0.92` (Callaway/Cotton "NPSL") but the license of Nmap changed several more times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood what they were saying correctly) so that is a possibility. But clearly not a long-term solution.
This idea makes me somewhat nervous. Why would Fedora get an exception and not other distributors (or do other distributions also have exceptions)? And what does that mean for the actual code or patches shared between distributions? I think unless the license in the source actually changes, taking this route would lead to problems.
Do we know if upstream is open to discussing relicensing to a well-known and established open source license that would still offer the protections and guarantees they want? That may not be possible. Reading the LicenseRef-Nmap license I see a contributor agreement, lots of restrictions on derived works and how those are licensed, a patent grant, explicit permission to link with OpenSSL (thanks!), the license is governed by the laws of the State of Washington (ok, sure), an advertising clause if you set up a web site to execute nmap and display results -but then- the very next block says you don't have permission to use the trade names, trademarks, service marks, or product names.
Looking a bit further at Fedora downstreams, I do see that nmap is part of RHEL. And has been since RHEL-3. Right now that's inherited via nmap's inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a decision to make. I suppose that's fine, we are talking about Fedora here. But we would at least want RHEL to be aware if that change were to happen.
All the distributors that asked got the exception. I believe at one point it was even publicly stated that everyone could do this without requesting it after so many asked.
A further issue here is that many other distros seem to be assuming that the iterations of the NPSL after the universally-condemned NPSL 0.92 (LicenseRef-NPSL-0.92) are all nonproblematic. I am not sure what this is based on beyond a well-meaning impulse to believe that any change to NPSL 0.92 must have been good enough.
Richard