(First off, sorry for the long mail, I've not contributed as many plugins as I would have liked.... but then again I'm also entitled to an opinion :-) Renaud Deraison wrote: > There are some confusion about the copyright ownership of a Nessus > report. When you think about it, a Nessus report is like a book > regarding the security of your network, and as with every book, there > are limitations to what you can do with it. Sure, I would think that, at least, acknowledgement to whomever produced the plugin text would be in order. See below. (...) > So in order to clear up any doubt about this, I plan to add a > README.PLUGINS_OUTPUT in nessus-plugins/ and on the Nessus website to clear > up any confusion : I consider that a Nessus report is copyright whoever > wrote the text which appear into it. > > So I am posting this here : > > - To request comments from plugins writers on that issue. I am not > interested in endless philosophical debates about the GPL but rather > in implementation issues, ie: should the name of every author be printed > in the Nessus reports ? I think that maybe it would be best if a footer was added to reports generated by Nessus (in readable formats) and a header or footer comment in "non-readable" (nbe/nsr) which came around and said: "The text in this report is copyrighted by the respective authors of the plugins that provide it (please, see the source code for more information) and is distributed under the GPL. You must have a copy of the GPL in your copy of Nessus, if not, please retrieve it from http://www.gnu.org/licenses/licenses.html#GPL. Notice that this text is _not_ in the public domain." I think the relevant sections on the GPL faq are: "Is there some way that I can GPL the output people get from use of my program? For example, if my program is used to develop hardware designs, can I require that these designs must be free?" http://www.gnu.org/licenses/gpl-faq.html#TOCGPLOutput and "In what cases is the output of a GPL program covered by the GPL too?" http://www.gnu.org/licenses/gpl-faq.html#TOCWhatCaseIsOutputGPL IMHO, the text which is produced by a NASL plugin might be a considerable work, if the author has taken time to include proper references to databases, ways to solve the issue, and has investigated the issue in detail and document it properly. Obviously, if the text plugin says "you're screwed" a (c) or GPL restriction can be hardly enforced (sp?). Notice that I'm not thinking here of a company making use of a Nessus report without acknowleging the work of others (which might be the case sometimes) but I'm also thinking of a company which makes a commercial/propietary vulnerability scanner and retrieves "our" description for vulnerabilities, ways to mitigate, solutions and includes them in their engine. If the report is not (c) and properly license then said "imaginary" company could just run Nessus against a hypothetical system which has _all_ the vulnerabilities, print the report, and take the text over to improve their tools. Of course that's the same reason why NASL plugins' text has to be properly analysed to find if it has been taken from other programs (like Internet Scanner, Qualys or the now abandoned Cybercop Scanner). The same could be said of copyrighted vulnerability databases (such as CERT's or Bugtraq's). So maybe a disclaimer directed to those companies would be appropiate too. Something in the sense of: "If you find any evidence of NASL plugins using copyrighted text which has not been produced by its author please contact Renaud Deraison and ask for its removal with the following information: the offending NASL plugin, the copyright owner for the text/code, as well as an offer to show evidence to demonstrate the fact." [1] Friendly Javi [1] Please excuse my sorry english and spelling mistakes :-) _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 00:12:07 PST