Debian Bug report logs - #291658
nessus-plugins: Some NASL plugins in release 2.2.2a (and later) are non-free

version graph

Package: nessus-plugins; Maintainer for nessus-plugins is (unknown);

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Sat, 22 Jan 2005 07:33:01 UTC

Severity: normal

Fixed in version nessus-plugins/2.2.3-1

Done: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#291658; Package nessus-plugins. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nessus-plugins: non-free
Date: Sat, 22 Jan 2005 08:26:39 +0100
Package: nessus-plugins
Severity: serious
Justification: Policy 2.2.1

Upstream claims that large parts of nessus-plugins has never been
licensed under the GPL.  The copyright status of many NASL scripts is
indeed very unclear.

The new upstream license does not give permission to redistribute, so
it's not suitable for non-free either.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (800, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-rc1fw
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#291658; Package nessus-plugins. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #10 received at 291658@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Florian Weimer <fw@deneb.enyo.de>, 291658@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#291658: nessus-plugins: non-free
Date: Sat, 22 Jan 2005 15:37:28 +0100
[Message part 1 (text/plain, inline)]
severity 291658 normal
retitle 291658 nessus-plugins: Some NASL plugins in release 2.2.2a (and later) are non-free
thanks

On Sat, Jan 22, 2005 at 08:26:39AM +0100, Florian Weimer wrote:
> 
> Upstream claims that large parts of nessus-plugins has never been
> licensed under the GPL.  The copyright status of many NASL scripts is
> indeed very unclear.

This claim only applies to post-2.2.2a releases, as you can see from the
COPYING license of all the ftp sources in nessus.org (pre-2.2.2a). Upstream
(that is, Renaud Deraison) has not changed those. So they still apply. 

Moreover, the copyright status of the NASL scripts is not unclear
(copyright holders are stated for all of the scripts). The license status,
however, has changed for some of the NASL scripts in 2.2.2a (and 2.3). 
For previous releases the "Nessus Script License" = GPL. Debian currently 
distributes 2.2.2 BTW.

> The new upstream license does not give permission to redistribute, so
> it's not suitable for non-free either.

Correct, the _new_ one, which does not apply retroactively to all other
versions (note again that upstream has not changed the copyright statements
in those).  That's why I haven't packaged 2.2.2a yet. I will probably
repackage that version with only a _very_ limited number of plugins and
tell users to go and download them if they want the non-free scripts.

In any case, if you are interested upstream has not contacted the writers
of some NASL scripts (me included) before re-licensing them. So this
relicensing might not even be valid in some cases, only for those plugins
which are copyrighted by Tenable or Renaud (the majority, however

As I said before for the 2.3 release I will repackage the NASL scripts and
only provide in the archive those that have been determined to be free
(i.e. GPL or BSD licensed). 

Regards

Javier
[signature.asc (application/pgp-signature, inline)]

Severity set to `normal'. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Javier Fernández-Sanguino Peña <jfs@computer.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#291658; Package nessus-plugins. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #19 received at 291658@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 291658@bugs.debian.org
Subject: Re: Bug#291658: nessus-plugins: non-free
Date: Sat, 22 Jan 2005 15:52:14 +0100
* Javier Fernández-Sanguino Peña:

>> Upstream claims that large parts of nessus-plugins has never been
>> licensed under the GPL.  The copyright status of many NASL scripts is
>> indeed very unclear.
>
> This claim only applies to post-2.2.2a releases, as you can see from the
> COPYING license of all the ftp sources in nessus.org (pre-2.2.2a). Upstream
> (that is, Renaud Deraison) has not changed those. So they still apply. 

Tenable claims that the GPL has never applied to their plugins, only
to the plugins that were explicitly released under the GPL.

> Moreover, the copyright status of the NASL scripts is not unclear
> (copyright holders are stated for all of the scripts). The license status,
> however, has changed for some of the NASL scripts in 2.2.2a (and 2.3). 
> For previous releases the "Nessus Script License" = GPL. Debian currently 
> distributes 2.2.2 BTW.

From what information do you infer this?

The plugins I'm most interested in are:

#
# (C) Tenable Network Security
#
# v1.2: use the same requests as MS checktool
# v1.16: use one of eEye's request when a null session can't be established
#

(msrpc_dcom2.nasl)

#
# This script is (C) Tenable Network Security
# 10/22/2003 updated by KK Liu 10/22/2003
#       - check messenger service, if not on - exit
#       - check Windows OS 
#

(messenger_ms03-043.nasl)

#
# (C) Renaud Deraison
#

(http_asn1_decoding.nasl)

I doubt we can say for sure that these plugins were covered by the
GPL, even though they are distributed in a tarball which happens to
contain a COPYING file.



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#291658; Package nessus-plugins. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #24 received at 291658@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 291658@bugs.debian.org
Subject: Re: Bug#291658: nessus-plugins: non-free
Date: Sat, 22 Jan 2005 19:39:24 +0100
[Message part 1 (text/plain, inline)]
On Sat, Jan 22, 2005 at 03:52:14PM +0100, Florian Weimer wrote:
> 
> Tenable claims that the GPL has never applied to their plugins, only
> to the plugins that were explicitly released under the GPL.

That claim is really not true, since the "Nessus Script License" was (until
recently) equivalent to the GPL. All plugin developers (me included) have
contributed stuff to plugins based on that. Licensing of plugins has been
discussed previously in the nessus-plugins mailing lists, there was even a
discussion back in 2001 when Renaud was considering changing its license,
please read:

http://archives.neohapsis.com/archives/apps/nessus/2001-q2/0434.html

In that mail upstream (i.e. Renaud) explicitly says that the plugins are 
distributed through the GPL.

> >From what information do you infer this?
> 
> The plugins I'm most interested in are:
(..)

Those plugins are (c) Tenable or Renaud. Notice that there is no license 
statement in the source code and that they are distributed in 2.1.0 (in 
ftp.nessus.org) with a 'COPYING' file that states they _are_ GPLd.

If upstream does want to relicense these plugins (which it can do, as it 
has (c) on them) then they should also repackage all of those available in 
the public ftp server. So far, they have not done such a thing.

The license issues with the plugins are there, however, in the 2.2.2a and
2.3 release (not packaged in Debian). The plugins distributed with 2.3 have
a different license (the new one "Tenable's Public License") but that
contradicts the license in the code of some of the plugins (both NASL
scripts and .c plugins). It is also incompatible with the GPL and that
makes some plugins status unclear (specifically .c plugins which are
compiled with libnasl). Again, this applies to 2.3 and 2.2.2a, not to
earlier releases.

As for NASL scripts, here is the breakdown of licenses in 2.3:

- BSD 1
- GPL 455
- Nessus Script License 5188
- UNLICENSED 295

This is not the first time upstream has changed a license to a package
(check out OpenBSD's pf [1] and Xfree86) but, IMHO, license changes do not
apply to whatever was distributed (and still is) with a different license.
Copyright holders obviously can re-license stuff, but they've had no
interest in doing it (as the public ftp shows).

The situation of Nessus in Debian, whoever, could change if all the source
code at ftp.nessus.org where to be relicensed (which is not the case yet). 
I just hope upstream will divide the nessus-plugins tar into a GPL and 
non-gpl archive to help distributions decide which part are or aren't 
distributable.

Regards

Javier


[1] slashdot.org/article.pl?sid=01/06/25/1557213

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#291658; Package nessus-plugins. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #29 received at 291658@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: 291658@bugs.debian.org
Subject: Re: Bug#291658: nessus-plugins: non-free
Date: Sat, 22 Jan 2005 19:47:04 +0100
* Javier Fernández-Sanguino Peña:

> On Sat, Jan 22, 2005 at 03:52:14PM +0100, Florian Weimer wrote:
>> 
>> Tenable claims that the GPL has never applied to their plugins, only
>> to the plugins that were explicitly released under the GPL.
>
> That claim is really not true, since the "Nessus Script License" was (until
> recently) equivalent to the GPL. All plugin developers (me included) have
> contributed stuff to plugins based on that. Licensing of plugins has been
> discussed previously in the nessus-plugins mailing lists, there was even a
> discussion back in 2001 when Renaud was considering changing its license,
> please read:
>
> http://archives.neohapsis.com/archives/apps/nessus/2001-q2/0434.html

Tenable Network Security claims this relicensing never happened for
the plugins.  (I've asked them.)

Mere aggregation with GPL-covered works does not cause software to
fall under the GPL automatically, so Debian is unfortunately on rather
thin ice. 8-(



Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <joy-packages@debian.org>:
Bug#291658; Package nessus-plugins. Full text and rfc822 format available.

Acknowledgement sent to Javier Fernández-Sanguino Peña <jfs@computer.org>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <joy-packages@debian.org>. Full text and rfc822 format available.

Message #34 received at 291658@bugs.debian.org (full text, mbox):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 291658@bugs.debian.org
Subject: Re: Bug#291658: nessus-plugins: non-free
Date: Sun, 23 Jan 2005 02:14:59 +0100
[Message part 1 (text/plain, inline)]
On Sat, Jan 22, 2005 at 07:47:04PM +0100, Florian Weimer wrote:
> Tenable Network Security claims this relicensing never happened for
> the plugins.  (I've asked them.)

Plugins were never distributed under any other license, for all
contributors to the Nessus project the "Nessus Script License" was just the
GPL. Upstream (Renaud) made this clear in the mailing lists a couple of
times.

Nobody from upstream has spoken up saying that whomever (pre-2.2.2a) was
distributing these plugins was not doing it correctly. Renaud (and Tenable)
were very much aware that Debian, FreeBSD as well as other commercial Linux
distributions (like SuSE) have been providing Nessus and all its plugins in
their distributions for quite some time. Certainly, if they had any issue
with that they should have brought it out a long time ago.

The fact is, some plugins in the new release (2.3) as well the new plugins
that are being produced have been relicensed, plugins in previous releases
have not. Debian is still distributing the old releases.

I'm not sure if I will be providing new releases but when I do, only
plugins that are free in that release will be included.

If upstream has failed to add a proper license to the plugins then they
should fix it properly. Many plugins code (even in the 2.3 release) refers
to the "Nessus Script License".

Feel free to check out the (free) GPL feed which is available at
http://www.nessus.org/nasl/all-2.0.tar.gz. You'll find a number of plugins
licensed under the "Nessus Script License", including some of those you are
interested in.


The new license restrictions do apply to the "feeds" of nessus plugins
(what you can download from the Internet). People downloading new plugins
will need to register to the feed if they want the full list of plugins. If
you are using the nessus-update-plugins script from the 2.2.2 release you
shouldn't be able to download plugins you have not registered for (since
those are distributed through a different mechanism and you need
nessus-fetch for those) and you will only get the free "GPL feed".

Hope I have cleared this up. If you still believe otherwise feel free to 
bring this issue up in Nessus' public mailing list.

Regards

Javier

PS: Who have you asked at Tenable? Maybe they should clear this mess up.
[signature.asc (application/pgp-signature, inline)]

Reply sent to Javier Fernandez-Sanguino Pen~a <jfs@computer.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #39 received at 291658-close@bugs.debian.org (full text, mbox):

From: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
To: 291658-close@bugs.debian.org
Subject: Bug#291658: fixed in nessus-plugins 2.2.3-1
Date: Sat, 12 Feb 2005 22:02:39 -0500
Source: nessus-plugins
Source-Version: 2.2.3-1

We believe that the bug you reported is fixed in the latest version of
nessus-plugins, which is due to be installed in the Debian FTP archive:

nessus-plugins_2.2.3-1.diff.gz
  to pool/main/n/nessus-plugins/nessus-plugins_2.2.3-1.diff.gz
nessus-plugins_2.2.3-1.dsc
  to pool/main/n/nessus-plugins/nessus-plugins_2.2.3-1.dsc
nessus-plugins_2.2.3-1_i386.deb
  to pool/main/n/nessus-plugins/nessus-plugins_2.2.3-1_i386.deb
nessus-plugins_2.2.3.orig.tar.gz
  to pool/main/n/nessus-plugins/nessus-plugins_2.2.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 291658@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@computer.org> (supplier of updated nessus-plugins package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Sat, 12 Feb 2005 22:37:40 +0100
Source: nessus-plugins
Binary: nessus-plugins
Architecture: source i386
Version: 2.2.3-1
Distribution: unstable
Urgency: high
Maintainer: Josip Rodin <joy-packages@debian.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Description: 
 nessus-plugins - Nessus plugins
Closes: 281444 291658
Changes: 
 nessus-plugins (2.2.3-1) unstable; urgency=high
 .
   * New upstream release
     (Priority set to high since this new version removes code which
     was not free)
   * This new version includes only the GPL licensed plugins, added
     a debian/NEWS file describing the current situation regarding
     plugin licenses, also updated the debian/copyright file
     (Closes: #291658)
   * Removed Hydra from the distibution (including original sources
     which have been repacked) since Hydra is not really free, see
     bug #258057)
   * Do not move the .desc directory when relocating plugins from
     the old location to the new one (Closes: #281444)
   * Introduce a nessus-update-plugins-gpl (based on nessus-update-plugins
     of previous release) for those that only want to download the latest
     GPL feed and not use nessus-fetch. Since nessus-fetch is provided
     by nessus-core (>= 2.2.3) and we do not want to depend on it.
   * Build-Depend on libpcap0.8-dev | libpcap-dev
   * Adjust scripts/gpl_feed.nasl so that it fits properly on a terminal
     (75 chars per line)
Files: 
 4e74608a19197c3906bba8d30204f23a 885 admin optional nessus-plugins_2.2.3-1.dsc
 e58fed95aa7df8b1ceba7446c2d0e8ab 1430449 admin optional nessus-plugins_2.2.3.orig.tar.gz
 a95aa1bc7914d71afe3bf0603d04e3c1 329953 admin optional nessus-plugins_2.2.3-1.diff.gz
 2b3c09b4f06fd32a9e471bda1929d7c0 1416310 admin optional nessus-plugins_2.2.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iQCVAwUBQg66bftEPvakNq0lAQGKhgQAoCCBKMAXInEfxkzfruD0S/kOKjn2SrLT
YQ/ab4EBR+8npJFWlwplDPUH33fH9rX8WcnBgsv9vPbQHsD9a6bYJi6YssOdzTyq
JCIf2chv1DdN1bjKEnX2558AHaHtsjVjnZhSpPV6fBZUN1GflJHR8aLl9NEw1bQE
ghcpQrYg6+g=
=k8Tj
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:13:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.