[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: License issues with metasploit-framework

On (19/07/06 01:26), Francesco Poli wrote:
> On Tue, 18 Jul 2006 12:38:37 +0100 James Westby wrote:
> What does the "Authors field below" say?
> Is there one?
> If there is, then you (we) have to check whether it defines a licensing
> scheme which is DFSG-free and compatible with the rest of the framework.
> If there isn't, then it's more or less OK, with the above-mentioned
> warning (being explicit would be far better).

Sorry, I neglected to say that these files don't have an explicit
license. It appears as those these files are created from a template
that includes this statement.

> It lacks (at least) permission to modify and distributed modified
> versions (see DFSG#3).
> It doesn't even clearly grant permission to distribute (see DFSG#1):
> "Distribute" seems like an order, not a permission!
> I don't understand the visit part...  :-/
> Upstream should be contacted and asked to relicense this file.
> Or, as usual, this file could be dropped or replaced.

There is a README file along with this one, that says simply.

  These are not the codes you are looking for....

Which suggests that upstream do not hold the copyright and realise they
are distributing it even though it appears to be prohibited.

> > 
> > There are also binary files distributed in the tarball, these are not
> > meant to be compiled, as they are for executing on the target
> > computer. I'm not sure how this sits, as they are obviously not the
> > preferred form of modification, and some don't include the source they
> > were compiled from.
> If the actual source for those binaries is not available, we are going
> very far from DFSG compliance (see DFSG#2).
> Upstream should be got in touch with and asked for source under
> a DFSG-free and {GPLv2/Artistic}-compatible license.
> Alternatively those binaries should be dropped or replaced.

I'm sure the sources exist somewhere, and could be included upstream.
though it is possible that they are the preferred form for modification,
and a hex editor was used to create them. I think most of them are
shellcode type things.

> > 
> > Now, we could contact upstream and get them to include proper headers
> > etc., but I wanted to know how much of this was unsuitable for
> > distribution, as if it leaves a severely crippled package then it's
> > not really worth it.
> It's up to you to decide whether it's worth fixing this melting pot of
> copyrights and licenses.

I will now talk to Luciano (owner of the ITP) and see what he thinks is
the best way forward. I am sure we will contact upstream and see if they
are willing to make the changes to either/both versions.

> It would really be appreciated if you tried to persuade upstream to
> adopt a well-established and clearly DFSG-free license, instead of
> writing their own.

That would be great, but they went to the trouble of writing the thing,
so maybe they want to use it. 

Thanks to all those who replied to this thread and gave their opinions.
It is all clearer now, and hopefully we can get this sorted out. I think
this is the only piece of (supposedly) free software from the top 50 of
the recent security tools survey not included in Debian.

Thanks again,


  James Westby

Reply to: