On Tue, 18 Jul 2006 12:38:37 +0100 James Westby wrote:
My analysis of The Metasploit Framework License v1.0 follows.
Executive summary
=================
This license is definitely non-DFSG-free and should be avoided.
A work released under this license should not be distributed by Debian
(not even in non-free, because of the choice of venue and the
click-through mechanism).
Please persuade upstream to drop this license entirely and to adopt a
well-known and clearly DFSG-free license, instead.
Details
=======
[...]
> ===
> The Metasploit Framework License v1.0
> Copyright (C) 2006 Metasploit LLC
[...]
> c. "Extension" means any enhancement to the Software that does not
> require modification of the Software itself. "Extensions" include any
> module or plug-in that is intended (by design and coding) to, or can,
> be dynamically loaded by the Software.
This definition seems to be rather broad: for instance, any module or
plug-in that *can* be dynamically loaded by the Software is regarded as
an "Extension", even if it was created independently and happens to be
loadable (say, because it adheres to a published standard interface, or
something).
[...]
> h. "Interface" means to execute, parse, or otherwise benefit from
> the use of the Software.
>
> i. "Interaction Software" means any external software program or
> library that interfaces with, but is not a component or subset of, the
> Software.
These two definitions seem to be really broad: even a shell script could
execute the Framework as soon as the Framework includes a small
command-line tool.
Such a shell script would then be "Interaction Software"...
>
>
> License Grants
>
> 1. Provided that You both agree to and do comply with any and all
> conditions and requirements in this License, You are granted the
> non-exclusive rights specified in this License. Use of any of the
> Software in any form and to any extent signifies acceptance of this
> License. If You do not agree to all of these terms, then do not use
> the Software and immediately remove all copies of the Software, the
> Documentation, and any other items provided under the License.
Not a good start: acceptance of the license is claimed to be necessary
even for mere use of the Software...
>
> 2. Provided that -each- of the following necessary, express
> conditions are met, You may copy and distribute the Software:
[...]
> b. The Software is distributed without any charge, beyond (at
> Your option) the reasonable costs of data transfer or storage media.
> You may -not- (i) sell, lease, rent, or otherwise charge for the
> Software, (ii) include any component or subset of the Software in any
> commercial application or product, or (iii) sell, lease, rent, or
> otherwise charge for any appliance (i.e., hardware, peripheral,
> personal digital device, or other electronic product) that includes
> any component or subset of the Software.
This clause is definitely non-free, as it fails DFSG#1.
>
> 3. You -may- use the Software to provide some service(s) and
> charge
> for the service(s), provided that the recipient of the service is
> clearly informed in writing (including via electronic notice or
> on-screen display, without paper notice) of both (a) the existence,
> name/trademark, and use of the Software in relation to the service and
> (b) where the recipient of the service may obtain a copy of the
> Software (e.g., refer them to www.metasploit.com).
This clause puts significant restrictions on mere use of the Software:
non-free (it could fail DFSG#6, in some scenarios).
>
> 4. You may make modifications (i.e., additions) to the Software
> and
> distribute Your modifications, but solely in a form that is -separate-
> from the Software, such as patches. The following restrictions apply
> to modifications:
[...]
This clause fails DFSG#4, because it does *not* "explicitly permit
distribution of software built from modified source code".
Again non-free.
> 5. You may develop Extensions to the Software and distribute these
> Extensions under any license You see fit, as long as -each- of the
> following conditions are met:
>
> a. The Extension, when installed with the Software, must -not-
> modify any of the behavior (change the display, modify the available
> commands, etc) of the Software until the user explicitly requests
> (e.g., by invoking or exercising a command or feature are a screen
> display or other express notification of the new code's existence and
> function) that the Extension should be activated.
These restrictions on what can be done in an "Extension" are broader
than the ones that hold for patches. This is awkward and possibly
non-free: in some scenarios an "Extension" could be regarded as
basically independent software and hence this clause could fail DFSG#9.
[...]
>
> 6. You may develop external software components that interface
> with
> the Software and distribute these components, provided that -each- of
> the following conditions are met:
>
> a. The external software component is distributed without any
> charge beyond the reasonable costs of data transfer or storage media.
> You may not sell the external software component or sell an appliance
> that includes the software component.
Again fails DFSG#1.
[...]
> Online Updates
>
> The Software includes the ability to download updates (i.e.,
> additional code) from the Developer's server(s). These updates may
> contain bug fixes, new functionality, updated Documentation, and/or
> Extensions. When retrieving these updates, the Software may transmit
> the Software version and operating system information from Your
> computer to the update server. The server may record (store) this
> information, in conjunction with the IP (global Internet Protocol)
> address of the user, in order to attempt to maintain accurate end user
> / version statistics. By using the online update feature, You hereby
> agree to allow this information to be transmitted, recorded, and
> stored in any nation by or for the Developer.
This clause does not belong in the license, as it's not a condition for
the Software, but rather a condition for using a service.
BTW, for privacy's sake, everybody should *avoid* this Online
Updates service!
> Proper Use
>
> As an express condition of this License, You agree that You will
> use
> the Software -solely- in compliance with all then-applicable local,
> state, national, and international laws, rules and regulations as may
> be amended or supplemented from time to time, including any
> then-current laws and/or regulations regarding the transmission and/or
> encryption of technical data exported from or imported into Your
> country of residence. Violation of any of the foregoing may result in
> immediate, automatic termination of this License without notice, and
> may subject You to state, national and/or international penalties and
> other legal consequences.
This clause enforces local, state, national, and international laws,
rules and regulations as a condition for getting the license
permissions.
This is non-free, because it adds arbitrary penalties (such as license
termination) to the ones already specified by laws.
[...]
> Choice of Law; Venue
[...]
> Any litigation related to this License must be filed and heard in the
> courts for Travis County, Texas.
This is a choice of venue, which is non-free (it requires users to
travel even across oceans in order to defend theirselves from possibly
frivolous lawsuits).
>
> To download version 3.0 of the Metasploit Framework, you must
> acknowledge your acceptance of this license by clicking the 'Accept
> this License' button below.
This is a click-wrap license. If it is intended that every redistributor
must enforce a similar click-through mechanism, then Debian cannot
distribute the Software, not even in non-free.
--
:-( This Universe is buggy! Where's the Creator's BTS? ;-)
......................................................................
Francesco Poli GnuPG Key ID = DD6DFCF4
Key fingerprint = C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpEVePEHdhsC.pgp
Description: PGP signature