Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
First off, I don't know anyone involved in this.
On 2024-02-26 11:49, Thomas Ward wrote:
Back on February 14th, an email
went to the standard NGINX mailing list that NGINX (F5) open
source development changed a lot of policies and interfered
with security policy use cases
I don't know what other factors lead to
the fork, but as far as the security policy thing goes...
These two sub-threads are most
relevant:
As MZMegaZone said, "Honestly, anyone
could have gone to a CNA and demanded a CVE and he would not have
been able to stop it. That's how it works." As I replied there, "I
recently did exactly that when a vendor refused to obtain a CVE
themselves."
MZMegaZone also said, "Also, something
that keeps getting lost here, the CVE is NOT just against NGINX
OSS, but also NGINX+, the commercial product. And the packaging,
release, and messaging on that is a bit different. That had to be
part of the decision process too. Since it is the same code the
CVE applies to both." And in another comment, "We know a number of
customers/users have the code in production, experimental or not.
And that was part of decision process. The security advisories we
published do state the feature is experimental."
So, in effect, Maxim seems to have
wanted F5 to either NOT publish a security vulnerability for their
commercial product, knowing their customers/users had this code in
production, or to issue a CVE for the commercial product but not
the underlying OSS project with the exact same code. Neither of
those makes any sense to me.
So, before I follow through with Debian
packaging (which would be synced to Ubuntu downstream), may I
get the opinion of debian-legal on whether there’s any
copyright or trademark violation concerns that exist before I
pursue getting this into Debian?
I'm not a lawyer, but it sure seems like an obvious trademark
problem to me. In my opinion, Maxim really should pick a brand new
name if he's serious about this as an ongoing project.
Does Canonical have lawyers you could ask?
--
Richard
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Reply to: