Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?

To: debian-legal@lists.debian.org
Subject: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
From: Richard Laager <rlaager@debian.org>
Date: Mon, 26 Feb 2024 14:59:48 -0600
Message-id: <[🔎] 289cbcc8-b557-4ddb-af75-57309e88232f@debian.org>
In-reply-to: <[🔎] MN0PR19MB5948667200D8E3E4539CCF769B5A2@MN0PR19MB5948.namprd19.prod.outlook.com>
References: <[🔎] MN0PR19MB5948667200D8E3E4539CCF769B5A2@MN0PR19MB5948.namprd19.prod.outlook.com>

First off, I don't know anyone involved in this.

On 2024-02-26 11:49, Thomas Ward wrote:

Back on February 14^th, an email went to the standard NGINX mailing list that NGINX (F5) open source development changed a lot of policies and interfered with security policy use cases

I don't know what other factors lead to the fork, but as far as the security policy thing goes...

Note that, per Maxim's own statement, the security policy disagreement is that he did NOT want to issue CVEs because the code was marked "experimental": https://mailman.nginx.org/pipermail/nginx/2024-February/FRVX4M5JLFSFESRG7RLWWRBZ6D4AKKQU.html

MZMegaZone on Hacker News claims to be the person at F5 on the other side of that. Here's the top-level article:
https://news.ycombinator.com/item?id=39373327

These two sub-threads are most relevant:

https://news.ycombinator.com/item?id=39373834

https://news.ycombinator.com/item?id=39373966

As MZMegaZone said, "Honestly, anyone could have gone to a CNA and demanded a CVE and he would not have been able to stop it. That's how it works." As I replied there, "I recently did exactly that when a vendor refused to obtain a CVE themselves."

MZMegaZone also said, "Also, something that keeps getting lost here, the CVE is NOT just against NGINX OSS, but also NGINX+, the commercial product. And the packaging, release, and messaging on that is a bit different. That had to be part of the decision process too. Since it is the same code the CVE applies to both." And in another comment, "We know a number of customers/users have the code in production, experimental or not. And that was part of decision process. The security advisories we published do state the feature is experimental."

So, in effect, Maxim seems to have wanted F5 to either NOT publish a security vulnerability for their commercial product, knowing their customers/users had this code in production, or to issue a CVE for the commercial product but not the underlying OSS project with the exact same code. Neither of those makes any sense to me.

So, before I follow through with Debian packaging (which would be synced to Ubuntu downstream), may I get the opinion of debian-legal on whether there’s any copyright or trademark violation concerns that exist before I pursue getting this into Debian?

I'm not a lawyer, but it sure seems like an obvious trademark problem to me. In my opinion, Maxim really should pick a brand new name if he's serious about this as an ongoing project.

Does Canonical have lawyers you could ask?

-- 
Richard

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
  - From: Michael Lustfield <michael@lustfield.net>

References:
- "freenginx" open source package and "nginx" from F5 open source, potential conflict?
  - From: Thomas Ward <teward@thomas-ward.net>

Prev by Date: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Next by Date: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Previous by thread: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Next by thread: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Index(es):
- Date
- Thread