I've done a long overdue review of the various Nmap licenses and have updated fedora-license-data accordingly.
1. LicenseRef-Nmap: not-allowed Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/543
This is Callaway "Nmap", i.e. the GPLv2-incompatible GPLv2 gloss commented on here: https://fedoraproject.org/wiki/Licensing/Nmap This license was classified as "good" but on a new review, that assessment seems unjustified and inconsistent with the analysis of the subsequent licenses. While we should be very reluctant to overturn a past "good" classification I don't see any other option here. But there is a usage exception that says versions of Nmap covered by this license can continue to be included in Fedora Linux indefinitely. (I thought of limiting it to a couple of releases.)
2. LicenseRef-NPSL-0.92: not-allowed Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/542
This was "NPSL" (on the "bad" list) prior to the migration to SPDX identifiers. See: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/... It was mistakenly imported into fedora-license-data as `LicenseRef-NPSL-0.94`.
3. LicenseRef-NPSL-0.93: not-allowed Related issues: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/541 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/540
This covers the multiple versions of Nmap licenses labeled as "Version 0.93" and "Version 0.94"
4. LicenseRef-NPSL-0.95: not-allowed Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/539
This covers the multiple versions of Nmap licenses labeled as "Version 0.95".
Other relevant issues: https://github.com/nmap/nmap/issues/2199 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/147 https://bugs.gentoo.org/749390 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972216 https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html https://github.com/NixOS/nixpkgs/issues/105119 https://labs.parabola.nu/issues/2966 https://bugzilla.opensuse.org/show_bug.cgi?id=1211571
Richard
On Fri, Jul 5, 2024 at 11:33 PM Richard Fontana rfontana@redhat.com wrote:
I've done a long overdue review of the various Nmap licenses and have updated fedora-license-data accordingly.
- LicenseRef-Nmap: not-allowed
Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/543
This is Callaway "Nmap", i.e. the GPLv2-incompatible GPLv2 gloss commented on here: https://fedoraproject.org/wiki/Licensing/Nmap This license was classified as "good" but on a new review, that assessment seems unjustified and inconsistent with the analysis of the subsequent licenses. While we should be very reluctant to overturn a past "good" classification I don't see any other option here. But there is a usage exception that says versions of Nmap covered by this license can continue to be included in Fedora Linux indefinitely. (I thought of limiting it to a couple of releases.)
- LicenseRef-NPSL-0.92: not-allowed
Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/542
This was "NPSL" (on the "bad" list) prior to the migration to SPDX identifiers. See: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/... It was mistakenly imported into fedora-license-data as `LicenseRef-NPSL-0.94`.
- LicenseRef-NPSL-0.93: not-allowed
Related issues: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/541 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/540
This covers the multiple versions of Nmap licenses labeled as "Version 0.93" and "Version 0.94"
- LicenseRef-NPSL-0.95: not-allowed
Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/539
This covers the multiple versions of Nmap licenses labeled as "Version 0.95".
Other relevant issues: https://github.com/nmap/nmap/issues/2199 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/147 https://bugs.gentoo.org/749390 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972216 https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html https://github.com/NixOS/nixpkgs/issues/105119 https://labs.parabola.nu/issues/2966 https://bugzilla.opensuse.org/show_bug.cgi?id=1211571
Also, a couple of related SPDX issues: https://github.com/spdx/license-list-XML/issues/1121 https://github.com/spdx/license-list-XML/issues/2492
Thanks for this information. Nmap in particular continues to confuse me with regards to licensing because they do not really hesitate to revise or replace their license on even a minor update release.
On 7/5/24 11:33 PM, Richard Fontana wrote:
I've done a long overdue review of the various Nmap licenses and have updated fedora-license-data accordingly.
- LicenseRef-Nmap: not-allowed
Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/543
This is Callaway "Nmap", i.e. the GPLv2-incompatible GPLv2 gloss commented on here: https://fedoraproject.org/wiki/Licensing/Nmap This license was classified as "good" but on a new review, that assessment seems unjustified and inconsistent with the analysis of the subsequent licenses. While we should be very reluctant to overturn a past "good" classification I don't see any other option here. But there is a usage exception that says versions of Nmap covered by this license can continue to be included in Fedora Linux indefinitely. (I thought of limiting it to a couple of releases.)
- LicenseRef-NPSL-0.92: not-allowed
Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/542
This was "NPSL" (on the "bad" list) prior to the migration to SPDX identifiers. See: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/... It was mistakenly imported into fedora-license-data as `LicenseRef-NPSL-0.94`.
- LicenseRef-NPSL-0.93: not-allowed
Related issues: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/541 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/540
This covers the multiple versions of Nmap licenses labeled as "Version 0.93" and "Version 0.94"
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
- LicenseRef-NPSL-0.95: not-allowed
Related issue: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/539
This covers the multiple versions of Nmap licenses labeled as "Version 0.95".
Other relevant issues: https://github.com/nmap/nmap/issues/2199 https://gitlab.com/fedora/legal/fedora-license-data/-/issues/147 https://bugs.gentoo.org/749390 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972216 https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html https://github.com/NixOS/nixpkgs/issues/105119 https://labs.parabola.nu/issues/2966 https://bugzilla.opensuse.org/show_bug.cgi?id=1211571
Richard
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell dcantrell@redhat.com wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately referred to the license we are now calling `LicenseRef-NPSL-0.92` (Callaway/Cotton "NPSL") but the license of Nmap changed several more times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes, the reason for the exception applying to Callaway Nmap (LicenseRef-Nmap) is mostly because we gave everyone the expectation for years that the pre-NPSL version of the Nmap license was (barely) legitimate. That's at least partly my fault. Whereas the only post-Callaway-Nmap license Fedora passed judgment on (prior to this thread) was the one we're now calling `LicenseRef-NPSL-0.92` and that was considered "bad" from the start.
Richard
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana rfontana@redhat.com wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell dcantrell@redhat.com wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately referred to the license we are now calling `LicenseRef-NPSL-0.92` (Callaway/Cotton "NPSL") but the license of Nmap changed several more times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood what they were saying correctly) so that is a possibility. But clearly not a long-term solution.
Richard
On 7/11/24 11:19 AM, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana rfontana@redhat.com wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell dcantrell@redhat.com wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately referred to the license we are now calling `LicenseRef-NPSL-0.92` (Callaway/Cotton "NPSL") but the license of Nmap changed several more times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood what they were saying correctly) so that is a possibility. But clearly not a long-term solution.
This idea makes me somewhat nervous. Why would Fedora get an exception and not other distributors (or do other distributions also have exceptions)? And what does that mean for the actual code or patches shared between distributions? I think unless the license in the source actually changes, taking this route would lead to problems.
Do we know if upstream is open to discussing relicensing to a well-known and established open source license that would still offer the protections and guarantees they want? That may not be possible. Reading the LicenseRef-Nmap license I see a contributor agreement, lots of restrictions on derived works and how those are licensed, a patent grant, explicit permission to link with OpenSSL (thanks!), the license is governed by the laws of the State of Washington (ok, sure), an advertising clause if you set up a web site to execute nmap and display results -but then- the very next block says you don't have permission to use the trade names, trademarks, service marks, or product names.
Looking a bit further at Fedora downstreams, I do see that nmap is part of RHEL. And has been since RHEL-3. Right now that's inherited via nmap's inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a decision to make. I suppose that's fine, we are talking about Fedora here. But we would at least want RHEL to be aware if that change were to happen.
On Thu, Jul 11, 2024 at 11:45 AM David Cantrell dcantrell@redhat.com wrote:
On 7/11/24 11:19 AM, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana rfontana@redhat.com wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell dcantrell@redhat.com wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately referred to the license we are now calling `LicenseRef-NPSL-0.92` (Callaway/Cotton "NPSL") but the license of Nmap changed several more times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood what they were saying correctly) so that is a possibility. But clearly not a long-term solution.
This idea makes me somewhat nervous. Why would Fedora get an exception and not other distributors (or do other distributions also have exceptions)? And what does that mean for the actual code or patches shared between distributions? I think unless the license in the source actually changes, taking this route would lead to problems.
Do we know if upstream is open to discussing relicensing to a well-known and established open source license that would still offer the protections and guarantees they want? That may not be possible. Reading the LicenseRef-Nmap license I see a contributor agreement, lots of restrictions on derived works and how those are licensed, a patent grant, explicit permission to link with OpenSSL (thanks!), the license is governed by the laws of the State of Washington (ok, sure), an advertising clause if you set up a web site to execute nmap and display results -but then- the very next block says you don't have permission to use the trade names, trademarks, service marks, or product names.
Looking a bit further at Fedora downstreams, I do see that nmap is part of RHEL. And has been since RHEL-3. Right now that's inherited via nmap's inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a decision to make. I suppose that's fine, we are talking about Fedora here. But we would at least want RHEL to be aware if that change were to happen.
All the distributors that asked got the exception. I believe at one point it was even publicly stated that everyone could do this without requesting it after so many asked.
-- 真実はいつも一つ!/ Always, there's only one truth!
On Thu, Jul 11, 2024 at 3:48 PM Neal Gompa ngompa13@gmail.com wrote:
All the distributors that asked got the exception. I believe at one point it was even publicly stated that everyone could do this without requesting it after so many asked.
Unless that exception can be passed to those using the sources/packages that Fedora provides without any further limitations that still feels that there still exists a field of use restriction (and would be considered not-allowed).
But that, ultimately, is a call for Legal to make, who are paid to open the cans of worms and make the tough recommendations.
On Thu, Jul 11, 2024 at 11:48 AM Neal Gompa ngompa13@gmail.com wrote:
On Thu, Jul 11, 2024 at 11:45 AM David Cantrell dcantrell@redhat.com wrote:
On 7/11/24 11:19 AM, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana rfontana@redhat.com wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell dcantrell@redhat.com wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately referred to the license we are now calling `LicenseRef-NPSL-0.92` (Callaway/Cotton "NPSL") but the license of Nmap changed several more times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood what they were saying correctly) so that is a possibility. But clearly not a long-term solution.
This idea makes me somewhat nervous. Why would Fedora get an exception and not other distributors (or do other distributions also have exceptions)? And what does that mean for the actual code or patches shared between distributions? I think unless the license in the source actually changes, taking this route would lead to problems.
Do we know if upstream is open to discussing relicensing to a well-known and established open source license that would still offer the protections and guarantees they want? That may not be possible. Reading the LicenseRef-Nmap license I see a contributor agreement, lots of restrictions on derived works and how those are licensed, a patent grant, explicit permission to link with OpenSSL (thanks!), the license is governed by the laws of the State of Washington (ok, sure), an advertising clause if you set up a web site to execute nmap and display results -but then- the very next block says you don't have permission to use the trade names, trademarks, service marks, or product names.
Looking a bit further at Fedora downstreams, I do see that nmap is part of RHEL. And has been since RHEL-3. Right now that's inherited via nmap's inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a decision to make. I suppose that's fine, we are talking about Fedora here. But we would at least want RHEL to be aware if that change were to happen.
All the distributors that asked got the exception. I believe at one point it was even publicly stated that everyone could do this without requesting it after so many asked.
A further issue here is that many other distros seem to be assuming that the iterations of the NPSL after the universally-condemned NPSL 0.92 (LicenseRef-NPSL-0.92) are all nonproblematic. I am not sure what this is based on beyond a well-meaning impulse to believe that any change to NPSL 0.92 must have been good enough.
Richard
On 7/11/24 21:37, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 11:48 AM Neal Gompa ngompa13@gmail.com wrote:
On Thu, Jul 11, 2024 at 11:45 AM David Cantrell dcantrell@redhat.com wrote:
On 7/11/24 11:19 AM, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana rfontana@redhat.com wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell dcantrell@redhat.com wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately referred to the license we are now calling `LicenseRef-NPSL-0.92` (Callaway/Cotton "NPSL") but the license of Nmap changed several more times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood what they were saying correctly) so that is a possibility. But clearly not a long-term solution.
This idea makes me somewhat nervous. Why would Fedora get an exception and not other distributors (or do other distributions also have exceptions)? And what does that mean for the actual code or patches shared between distributions? I think unless the license in the source actually changes, taking this route would lead to problems.
Do we know if upstream is open to discussing relicensing to a well-known and established open source license that would still offer the protections and guarantees they want? That may not be possible. Reading the LicenseRef-Nmap license I see a contributor agreement, lots of restrictions on derived works and how those are licensed, a patent grant, explicit permission to link with OpenSSL (thanks!), the license is governed by the laws of the State of Washington (ok, sure), an advertising clause if you set up a web site to execute nmap and display results -but then- the very next block says you don't have permission to use the trade names, trademarks, service marks, or product names.
Looking a bit further at Fedora downstreams, I do see that nmap is part of RHEL. And has been since RHEL-3. Right now that's inherited via nmap's inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a decision to make. I suppose that's fine, we are talking about Fedora here. But we would at least want RHEL to be aware if that change were to happen.
All the distributors that asked got the exception. I believe at one point it was even publicly stated that everyone could do this without requesting it after so many asked.
A further issue here is that many other distros seem to be assuming that the iterations of the NPSL after the universally-condemned NPSL 0.92 (LicenseRef-NPSL-0.92) are all nonproblematic. I am not sure what this is based on beyond a well-meaning impulse to believe that any change to NPSL 0.92 must have been good enough.
Yes. Also, if every distribution that requested the exception got the exception why does this license even need to exist? If granting exceptions is normal but also allowing continued use of NPSL could lead to unusual and/or unresolvable situations with downstream modifications being under an NPSL variant or under _what_ for those granted an exception.
Fedora can't be parked on nmap 7.92 forever, which is why I go back to removal from Fedora unless a subset of us want to have a conversation with upstream about licensing and try to get nmap under more acceptable terms.