Re: FW: Re: debian & portsentry
Hi Craig,
> > Are you in any way interested to see portsentry included in the next
> > official debian release. I(but not just me) would really like to include
> > portsentry into the upcoming release(potato), but this would require some
> > rather small changes in the copyright to meet the debian policy.
>
> I would love for this to happen. The main problem is the license. My
> software is not GNU/BSD. This is for a variety of reasons:
>
> 1) I need to ensure code integrity because of the nature of the tool. If a
> person makes a change to the code that seriously hurts security it
> reflects poorly on me. I've had some patch submissions that did exactly
> that (one even introduced a remote root exploit!!). I need to ensure that
> I maintain control over all versions where possible.
This is a substantial concern, and one which I think others have also faced. One
solution which seems to work well is to keep the PortSentry name a certification
mark belonging to you, and subject to your approval for use. On the other hand,
you can allow unapproved patches to be made to PortSentry on the conditions that:
1) Source patches be packaged separately from the official source (not preferred);
and/or that
2) Binary distribution of derivatives be clearly marked as "Derived from
PortSentry."
> 2) I work for Cisco Systems Inc. and specifically do development work on
> intrusion detection and vulnerability assessment tools
> (NetRanger/NetSonar). I need to make sure nobody bundles all my tools
> together and sells them separately. This is a conflict of interest and
> could get me fired. My employment contract specifically excludes my tools
> to protect myself and my end users, but I don't want to stir up any
> problems where none exist.
Well, I cannot comment on the specifics of your employment contract, of course.
But it seems to me that if you use a GPL-type license which requires that
PortSentry be distributed with source code, or with an offer to provide source
code, and that all such distribution be made under your license which ensures that
there is no misunderstanding as to the free nature of the software, you should be
fine. But if you are concerned about this, why not discuss it with Cisco's legal
department? They may be very happy to get some good press out of this, so long as
their proprietary IP is not compromised.
> I would be happy to discuss these issues directly with anyone from the
> Debian team. Perhaps a compromise can be reached somehow. You can see from
> the license that I want to encourage the free OS's to use the tools
> because of the value they have given to me. I'm very flexible in many
> respects to this and I need to think about the entire issue some more to
> decide what to do. Perhaps the person from Debian who is responsible for
> this decision can write me so we can chat?
Debian isn't quite so organized as that - as a completely volunteer organization,
we all contribute as we can. Most decisions of this nature tend to be a matter of
consensus. What is certain is that in order for PortSentry to be included in
Debian's main distribution, it must not prevent modification or sale. This,
however, does not prevent you from making restrictions upon the use of your name or
that of your product. Hopefully, this will give you some room to find a solution
which respects your interests fully, while further benefitting the open source
community.
Reply to: