Debian Bug report logs - #972216
nmap: New NPSL 0.92 license likely non-free

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Göran Weinholt <weinholt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nmap: New NPSL 0.92 license likely non-free

Date: Wed, 14 Oct 2020 19:10:16 +0200

Package: nmap
Version: 7.91+dfsg1-1
Severity: serious
Justification: DFSG

(Please downgrade or close if I'm wrong about this. I saw on
guix-devel that nmap has a new license and they believe it's non-free,
which I agree with, but I'm no expert, and I'm just filing this bug to
have more eyes on the issue).

Dear maintainer,

The latest nmap is under a new license that seems to go against
DFSG § 1 (Free Redistribution) seems to be intended to go against
DFSG § 6 (No Discrimination Against Fields of Endeavor), and it
could also be argued that it goes against DFSG § 9 (License Must
Not Contaminate Other Software).

An annotated version of the license is available online here:
<https://nmap.org/npsl/npsl-annotated.html>

This line from the annotation is pretty clear:

| Proprietary vendors: This license does not allow you to redistribute
| Nmap source code or the executable for use with your software (stand
| alone or on an appliance). We do sell licenses which permit this,
| and also include support and updates. Dozens of software vendors
| already license Nmap technology such as host discovery, port
| scanning, OS detection, version detection, and the Nmap Scripting
| Engine. Contact sales@nmap.com for a quote.

I did a cursory reading and the trouble mainly seems to come from the
section on derivative works, which has been extended beyond what is
commonly accepted in the community. "Licensor interprets that term
quite broadly," they write, and annotate it with this:

| The idea here is to prevent companies from using open source Nmap in
| their proprietary software or appliances. Some have in the past
| distributed Nmap executables as part of expensive proprietary
| products and refused to make the source available, claiming a
| loophole based on strange interpretations of the GPL definition of
| derivative and collective works. If companies take value from Nmap,
| they need to contribute back to the project and the open source
| community by either making their product/project compatible open
| source or buying a commercial license.

As an example, a proprietary program cannot, according to § 3 of NPSL
0.92, run nmap and parse the output. Even just reading nmap's data
files turns a program into a derivative work. I don't think our users
would accept us leaving such a copyright land mine in main.

Message #10 received at 972216@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: Göran Weinholt <weinholt@debian.org>

Cc: 972216@bugs.debian.org

Subject: Re: Bug#972216: nmap: New NPSL 0.92 license likely non-free

Date: Fri, 16 Oct 2020 01:03:45 +0200

control: severity -1 normal

Hi Göran,

thanks for your bug report. I think that the issue is less serious than
it seems at first glance (see below). At the moment, I'm inclined to
update debian/copyright (which must be done anyway), close the issue,
and be done with this.

The alternatives would be to move NMAP to non-free or drop it from
Debian altogether. Or one could try to get into discussions with the
fine folks at Insecure.Com LLC on how to properly write free(ish)
software licenses. I have neither the time nor the energy to do the
latter.

> The latest nmap is under a new license that seems to go against
> DFSG § 1 (Free Redistribution) seems to be intended to go against
> DFSG § 6 (No Discrimination Against Fields of Endeavor), and it
> could also be argued that it goes against DFSG § 9 (License Must
> Not Contaminate Other Software).

While I agree that the license is problematic, this is not entirely new.
Even back in version 5 there was very similar bizarre language (in
main.cc) about somebody's opinions on how the well-established term
"derivative work" is supposed to include merely running a program and
parsing its output.

Every attempt at redefining what "derivative work" means is clumsy at
best, especially while referring to the GPL; however, I don't see any
problems with DFSG§1 or DFSG§6. The annotations are little more than the
expression of the license author's opinion. Sentences that include "The
idea here is…", "To avoid any misunderstandings…", or "we consider…" are
not something that a licensee can reasonably be expected to agree to in
order to accept a software license.

Cheers,
-Hilko

Message #15 received at 972216@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <myon@debian.org>

To: Hilko Bengen <bengen@debian.org>, 972216@bugs.debian.org

Cc: Göran Weinholt <weinholt@debian.org>

Subject: Re: Bug#972216: nmap: New NPSL 0.92 license likely non-free

Date: Sat, 7 Nov 2020 18:00:04 +0100

Re: Hilko Bengen
> While I agree that the license is problematic, this is not entirely new.
> Even back in version 5 there was very similar bizarre language (in
> main.cc) about somebody's opinions on how the well-established term
> "derivative work" is supposed to include merely running a program and
> parsing its output.

| Proprietary vendors: This license does not allow for redistributing Nmap for use with (or incorporating it's source code within) proprietary hardware. This includes stand-alone software distribution or inclusion on a hardware appliance, docker container, virtual machine, etc. We do sell licenses which permit this as part of the Nmap OEM program which funds the Nmap Project. [...]

Hi,

while the above excerpt is only the explanation of the license, and
not the license itself, I think it is absolutely clear that including
nmap in anything and selling it as a product is prohibited (even if
the source is included).

I fail to see how that will not immediately render the whole thing
non-free. If something similar used to be in the source code before,
it was already non-free before.

Christoph

Message #20 received at 972216@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>

To: Christoph Berg <myon@debian.org>, 972216@bugs.debian.org

Cc: Hilko Bengen <bengen@debian.org>, Göran Weinholt <weinholt@debian.org>

Subject: Re: Bug#972216: nmap: New NPSL 0.92 license likely non-free

Date: Sat, 7 Nov 2020 19:03:13 +0100

On 2020-11-07 18:00:04 +0100, Christoph Berg wrote:
> Hi,
> 
> while the above excerpt is only the explanation of the license, and
> not the license itself, I think it is absolutely clear that including
> nmap in anything and selling it as a product is prohibited (even if
> the source is included).
> 
> I fail to see how that will not immediately render the whole thing
> non-free. If something similar used to be in the source code before,
> it was already non-free before.

Yes, it is there, even in Debian/stable (buster), e.g. in
scan_engine.cc:

[...]
 ***********************IMPORTANT NMAP LICENSE TERMS************************
 *                                                                         *
[...]
 * Note that the GPL places important restrictions on "derivative works",  *
 * yet it does not provide a detailed definition of that term.  To avoid   *
 * misunderstandings, we interpret that term as broadly as copyright law   *
 * allows.  For example, we consider an application to constitute a        *
 * derivative work for the purpose of this license if it does any of the   *
 * following with any software or content covered by this license          *
 * ("Covered Software"):                                                   *
 *                                                                         *
 * o Integrates source code from Covered Software.                         *
 *                                                                         *
 * o Reads or includes copyrighted data files, such as Nmap's nmap-os-db   *
 * or nmap-service-probes.                                                 *
 *                                                                         *
 * o Is designed specifically to execute Covered Software and parse the    *
 * results (as opposed to typical shell or execution-menu apps, which will *
 * execute anything you tell them to).                                     *
[...]
 * This list is not exclusive, but is meant to clarify our interpretation  *
 * of derived works with some common examples.  Other people may interpret *
 * the plain GPL differently, so we consider this a special exception to   *
 * the GPL that we apply to Covered Software.  Works which meet any of     *
 * these conditions must conform to all of the terms of this license,      *
 * particularly including the GPL Section 3 requirements of providing      *
 * source code and allowing free redistribution of the work as a whole.    *
[...]

Note that this is described as "NMAP LICENSE TERMS", so that this is
part of the license, IMHO.

This would make the installation of nmap illegal, because arbitrary
software could break the license terms ("Reads copyrighted data files"),
even not on purpose.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Message #23 received at 972216@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <myon@debian.org>

To: Vincent Lefevre <vincent@vinc17.net>

Cc: 972216@bugs.debian.org, Hilko Bengen <bengen@debian.org>, Göran Weinholt <weinholt@debian.org>

Subject: Re: Bug#972216: nmap: New NPSL 0.92 license likely non-free

Date: Sat, 7 Nov 2020 21:17:00 +0100

Re: Vincent Lefevre
> Yes, it is there, even in Debian/stable (buster), e.g. in
> scan_engine.cc:

Thanks.

>  * o Reads or includes copyrighted data files, such as Nmap's nmap-os-db   *
>  * or nmap-service-probes.                                                 *
>  *                                                                         *
>  * o Is designed specifically to execute Covered Software and parse the    *
>  * results (as opposed to typical shell or execution-menu apps, which will *
>  * execute anything you tell them to).                                     *
> [...]
>  * This list is not exclusive, but is meant to clarify our interpretation  *
>  * of derived works with some common examples.  Other people may interpret *
>  * the plain GPL differently, so we consider this a special exception to   *
>  * the GPL that we apply to Covered Software.  Works which meet any of     *
>  * these conditions must conform to all of the terms of this license,      *
>  * particularly including the GPL Section 3 requirements of providing      *
>  * source code and allowing free redistribution of the work as a whole.    *

That is already weird, but just extends the GPL to other programs even
more than the GPL is usually doing that.

The new license has the same problem, but on top is also clearly
"non-commercial use only":

| Proprietary software companies wishing to use or incorporate Covered
| Software within their programs must contact Licensor to purchase a
| separate license.

| The idea here is to prevent companies from using open source Nmap in
| their proprietary software or appliances.

I don't see how to waive this, there is not even any fuzzy wording
that could be bent to mean something that would be DFSG-compatible.

Christoph

Message #30 received at 972216@bugs.debian.org (full text, mbox, reply):

From: Fabrice BAUZAC <noon@mykolab.com>

To: 972216@bugs.debian.org

Subject: Re: Bug#972216: nmap: New NPSL 0.92 license likely non-free

Date: Sat, 09 Jan 2021 23:08:28 +0100

FWIW, Fedora has just ruled out nmap:

https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/GZIDC4DHXZP67LFU7P2OT2AQVDJRHZ2M/

Message #35 received at 972216@bugs.debian.org (full text, mbox, reply):

From: Fabrice BAUZAC <noon@mykolab.com>

To: 972216@bugs.debian.org

Subject: Re: Bug#972216: nmap: New NPSL 0.92 license likely non-free

Date: Sat, 09 Jan 2021 23:25:06 +0100

FYI there is also a thread "nmap is non-free software" in:

https://lists.defectivebydesign.org/archive/html/directory-discuss/2021-01/threads.html

Apparently [1] the nmap author is listening to complaints and will
change license terms:

    [...] I understand how the current license wording could
    give that interpretation, but it's not what we meant.  Instead of
    mentioning the "software" of "proprietary software companies", it should
    probably mention the "proprietary software" of "software companies".
    Because as you noted, a "proprietary software company" might still make
    some free software too.  And maybe a "free software company" could still
    have some non-free products.  I'll try to fix this before the next Nmap
    release.

[1] https://lists.defectivebydesign.org/archive/html/directory-discuss/2021-01/msg00012.html

Message #40 received at 972216@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Fabrice BAUZAC <noon@mykolab.com>, 972216@bugs.debian.org

Subject: Re: Bug#972216: nmap: New NPSL 0.92 license likely non-free

Date: Sat, 9 Jan 2021 23:32:40 +0100

Hi,

Fabrice BAUZAC wrote:
> FYI there is also a thread "nmap is non-free software" in:
> 
> https://lists.defectivebydesign.org/archive/html/directory-discuss/2021-01/threads.html
> 
> Apparently [1] the nmap author is listening to complaints and will
> change license terms:

Yep, there is a rather constructive discussion on
https://github.com/nmap/nmap/issues/2199

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #45 received at 972216-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 972216-close@bugs.debian.org

Subject: Bug#972216: fixed in nmap 7.91+dfsg1+really7.80+dfsg1-1

Date: Tue, 02 Feb 2021 23:06:38 +0000

Source: nmap
Source-Version: 7.91+dfsg1+really7.80+dfsg1-1
Done: Samuel Henrique <samueloph@debian.org>

We believe that the bug you reported is fixed in the latest version of
nmap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972216@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Henrique <samueloph@debian.org> (supplier of updated nmap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Feb 2021 22:01:01 +0000
Source: nmap
Architecture: source
Version: 7.91+dfsg1+really7.80+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Closes: 972216
Changes:
 nmap (7.91+dfsg1+really7.80+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version 7.91+dfsg1+really7.80+dfsg1
     - Rolling back to 7.80 as the latest version has a license issue which
       most likely makes nmap not compatible with the DFSG. There are still
       discussions ongoing and upstream is deciding on what to do, meanwhile
       we are rolling back to the previous release as we are getting close
       to bullseye becoming stable. More info at the bug this is closing or
       at upstream discussion on github:
       https://github.com/nmap/nmap/issues/2199
       (closes: #972216)
   * Bump Standards-Version to 4.5.1
   * Revert "Update patches; add patch to fix automake breakage" due
     to the rollback
Checksums-Sha1:
 92da02872bea3bd454c8b5314a8398e868e40d55 2394 nmap_7.91+dfsg1+really7.80+dfsg1-1.dsc
 a268cef9b1cda2bb3b836de029f7b03cff5f73fe 7776928 nmap_7.91+dfsg1+really7.80+dfsg1.orig.tar.xz
 a516f56b71687e195e3e3b36593fb947a01df93d 34264 nmap_7.91+dfsg1+really7.80+dfsg1-1.debian.tar.xz
 b70df75079b33800c3374275f71f272a28261903 10546 nmap_7.91+dfsg1+really7.80+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
 e07d4d481fb2451cf96ecfd85238a3a9e545b2a74d0c02d9d77d1edfa9d9f002 2394 nmap_7.91+dfsg1+really7.80+dfsg1-1.dsc
 fac6950c683ed72c2c2f100aa91e3bb0f6634bf4394e77841e55a4eb2ccd7d66 7776928 nmap_7.91+dfsg1+really7.80+dfsg1.orig.tar.xz
 4a9ec241ce224ca344b2e79d47b23141ae1cd1b4af9018e92408f681d5e45c07 34264 nmap_7.91+dfsg1+really7.80+dfsg1-1.debian.tar.xz
 eb29625683df89ecd996a02d377a5d4270dc4f25939cebab0259a9bde76b96a7 10546 nmap_7.91+dfsg1+really7.80+dfsg1-1_amd64.buildinfo
Files:
 5e28b57b7671957444d40b931e1e807b 2394 net optional nmap_7.91+dfsg1+really7.80+dfsg1-1.dsc
 a1710b69732897224ccc84ac53b1550a 7776928 net optional nmap_7.91+dfsg1+really7.80+dfsg1.orig.tar.xz
 37f3a217bcf07ce5dd67c7103fb46a68 34264 net optional nmap_7.91+dfsg1+really7.80+dfsg1-1.debian.tar.xz
 29d0f0a32ec8de2d7403c06e9f2738f4 10546 net optional nmap_7.91+dfsg1+really7.80+dfsg1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmAZzgQACgkQu6n6rcz7
RwcAvRAAkXq+kWuOF5lGMdQQPcj31KduQfd6I+PNQWTvaAmP9RErvV2HVH8IovTv
K/6Ue/dWqKYDbFn9Ora/OmXSRtTiQm4QKt9Pf95nLR7d0S7NApLqRPZmxp/Ok9E9
jhVwWm2C3UX7OWDie0WdV2Pha/3Glc4ljywzcz/1RlJx/LoAvjuI+iqDpwCCCCgW
nJZnWRehqJ3tUT0ilxKAkVDx4tIO6IKrizHIA5zGur6mW2oAFf0Z9kNEQV73DY6i
i26MEPntZDFzzU1jz9xedu6x6/KWn+MMIc23VcyuV5jVOvm2YFCYzIrM/ot4Yydb
YJLbW8ovOtR+Qy4uHWIdoKYDN+UvyONFV000fgZcAKG8ZB50fcP1D0tL7yYHThfS
8qAZzGKAtuFBqZgOuvged7aGy17eahp+W1KHdTcCo5ofzNvgdhG89BnmXXkmaaaX
f3GkZtHfbmnXDQWNALu381udZjIHb1Gt5hJzUKLcsa+pQvwsujGJKGHxP8HAoYe5
GTWn+OdkfLP0bM/RlCa+gSapx9WQwd3fQ5/WnBO+8PWwpp7OnWb+jfCUaLHjedq9
Hwb3nRyklyKCRcKXB66qwwKqP4mHfle2BZbmMv8QxyLQWPmqEOAuKvSzhwJRQmey
Jr+1weMMXTKGcSjJDj8VFxb0iB0ZzDAVOBIqJevBjW3MVG3hJJg=
=pTJK
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.