Torsten Curdt’s weblog

Abuse of the open source idea

I just heard the about the business model of insecure.com. And while searching for a different more PC way to saying this all I can think of is “I am so pissed off”.
Insecure are the initial copyright holders of the well known security scanner nmap. Nmap is released under GPL license …BUT they come up with their own definition of derived work. (see here)

…Note that the GPL places important restrictions on “derived works”, yet it does not provide a detailed definition of that term. To avoid misunderstandings, we consider an application to constitute a “derivative work” for the purpose of this license if it does any of the following:

  • Reads or includes Nmap copyrighted data files, such as nmap-os-fingerprints or nmap-service-probes.
  • Executes Nmap and parses the results (as opposed to typical shell rexecution-menu apps, which simply display raw Nmap output and so not derivative works.)
  • Links to a library or executes a program that does any of the above

Now if you want to parse the XML output of nmap your program has to be under GPL or you have to pay insecure.com a one time license (5 digits number …depending on the customer) plus a 4 digits number as annual fee. And they think it’s totally ok…

…We don’t consider these to be added restrictions on top of the GPL, but just a clarification of how we interpret “derived works” as it applies to our GPL-licensed Nmap product. This is similar to the way Linus Torvalds has announced his interpretation of how “derived works” applies to Linux kernel modules. Our interpretation refers only to Nmap – we don’t speak for any other GPL products. …

…but I’d call it an abuse of the open source idea. They use the viral nature of the GPL license to protect “their” product. On the other hand they happily accept support from the open source community. Actually I don’t want to believe this is really ok …legally. I am also wondering if Mr. Torvald knows he been used as a reference here.

In this very case finding this note in the man page feels almost like a slap in the face:

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

  • Sure ...but looking at their "changelog" and "thanks to" page it looks like they do take contributions and incorporate them.

  • Well, if all of the source code is theirs, then they can release it under any license they like (including a modified version of the GPL), but if they have incorporated code produced by other people - then they no-longer have the right to "clarify" what the GPL means over the portions of the source code to which they do not hold the copyright.
blog comments powered by Disqus