Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Revisiting the Nmap Public Source License
From: Henri Doreau <henri.doreau () gmail com>
Date: Sun, 7 Apr 2013 19:54:06 +0200

2013/3/27 Fyodor <fyodor () nmap org>:
Hi Folks.  Long time members of this list may recall my proposal in 2006 to
better formalize Nmap's open source license.  Right now the license is
basically a mishmash of GPLv2 with several paragraphs of clarifications and
exceptions.  It is confusing to people, and it is also missing some
important provisions of newer open source licenses.  So back in 2006, I
created an "Nmap Public Source License" which is still based on GPLv2, but
also contains key provisions from other open source licenses.  I posted the
request for comments to this list here:


The annotated version of the license is here:


The new license is very similar to the current one[1] in function, but I
think it has better structure.  Nobody really complained about the new
license, so I decided to get some more legal review and then make the
change.  Then I, uh, sort of dropped the ball for 7 years.  I get very
excited about Nmap's technical direction, but legal stuff like this (while
incredibly important) isn't my passion.  And it is too easy to just say
"I'll do it next month" and then pretty soon "I should research the new
Mozilla Public License 2 and GPLv3 first" before taking any action and
then, before you know it, 7 years have passed :).

So the Nmap Public Source License may not be perfect, but I think it is
better than the current mish-mash.  My suggestion is that we switch to that
for now.  We can touch it up later if needed, but I don't want to delay
this for any more years.  I did make one change today, related to
installers which download Nmap over the Internet at runtime.  I hope that
will help prevent fiascos such as Download.com distributing trojan Nmap

The license change would only apply to future versions of Nmap, not 6.25
and earlier.  And since I know licenses can be a touchy subject, I'll wait
a couple weeks to collect feedback before making any change.


[1] https://svn.nmap.org/nmap/COPYING
[2] http://insecure.org/news/download-com-fiasco.html


like many developers I feel very unfamiliar with these touchy licensing
issues, though I understand that they're fundamental. Therefore, I
believe I shouldn't be shy about this couple questions I have.

Could you elaborate on the advantages of having a project-specific
license? Are you sure that following our own path (i.e. not using plain
GPLv2+ terms for instance) won't constitute a weakness? Does nmap have
specificities that make NSPL more suitable for it than plain GPL?

To my understanding, having a project-specific license might have the
following drawbacks:

- Harder for free software authors to know whether they're safe
  interfacing with nmap and/or contributing code.
- Harder for lawyers to know how a court would interpret the terms (GPL
  has already been defended successfully in a number of cases). For the
  same reasons, it might be harder for nmap to get assistance and
  advises in case of trouble.


Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]