[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: License issues with metasploit-framework

On Tue, 25 Jul 2006 19:09:46 +0100 James Westby wrote:

> On (19/07/06 01:26), Francesco Poli wrote:
> > On Tue, 18 Jul 2006 12:38:37 +0100 James Westby wrote:
> > What does the "Authors field below" say?
> > Is there one?
> > 
> > If there is, then you (we) have to check whether it defines a
> > licensing scheme which is DFSG-free and compatible with the rest of
> > the framework.
> > 
> > If there isn't, then it's more or less OK, with the above-mentioned
> > warning (being explicit would be far better).
> > 
> Sorry, I neglected to say that these files don't have an explicit
> license. It appears as those these files are created from a template
> that includes this statement.

Then it seems we are in case 2: more or less OK, with the
above-mentioned warning (being explicit would be far better), as I
previously said.

> > It lacks (at least) permission to modify and distributed modified
> > versions (see DFSG#3).
> > It doesn't even clearly grant permission to distribute (see DFSG#1):
> > "Distribute" seems like an order, not a permission!
> > I don't understand the visit part...  :-/
> > 
> > Upstream should be contacted and asked to relicense this file.
> > Or, as usual, this file could be dropped or replaced.
> There is a README file along with this one, that says simply.
>   These are not the codes you are looking for....
> Which suggests that upstream do not hold the copyright and realise
> they are distributing it even though it appears to be prohibited.

To me, this suggests that upstream loves paraphrasing _Star Wars_...

Seriously, if you have reason to believe that Debian (and upstream) have
no permission to distribute this file, then, well, Debian should *not*
distribute it!
At least, until a clarification is obtained...

> > If the actual source for those binaries is not available, we are
> > going very far from DFSG compliance (see DFSG#2).
> > Upstream should be got in touch with and asked for source under
> > a DFSG-free and {GPLv2/Artistic}-compatible license.
> > 
> > Alternatively those binaries should be dropped or replaced.
> >
> I'm sure the sources exist somewhere, and could be included upstream.
> though it is possible that they are the preferred form for
> modification, and a hex editor was used to create them. I think most
> of them are shellcode type things.

If they are normally modified by upstream in binary form, then no
problem at all, their source code ("the preferred form for making
modifications") is indeed in binary form.

Otherwise, what I stated above applies.

> > It's up to you to decide whether it's worth fixing this melting pot
> > of copyrights and licenses.
> I will now talk to Luciano (owner of the ITP) and see what he thinks
> is the best way forward. I am sure we will contact upstream and see if
> they are willing to make the changes to either/both versions.


> > It would really be appreciated if you tried to persuade upstream to
> > adopt a well-established and clearly DFSG-free license, instead of
> > writing their own.
> That would be great, but they went to the trouble of writing the
> thing, so maybe they want to use it.

It seems that they want to, but, believe me, it's a mistake!
And upstream should be convinced to undo that move...

> Thanks to all those who replied to this thread and gave their
> opinions. It is all clearer now, and hopefully we can get this sorted
> out.

You are welcome!  :)

> I think this is the only piece of (supposedly) free software from
> the top 50 of the recent security tools survey not included in Debian.

Well, let's hope it can be turned into actual Free Software and be
included in Debian!


But it is also tradition that times *must* and always
do change, my friend.   -- from _Coming to America_
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgpo7bhx6MrfH.pgp
Description: PGP signature

Reply to: