Re: [Plugins-writers] licencing

From: Don Kitchen (don@private)
Date: Sun Dec 19 2004 - 17:35:33 PST

Renaud Deraison <deraison@private> wrote:

> > How do I know what license a plugin is under?

> It's written at the top of the plugin.

There are many plugins, for example the redhat local security checks, which
have a Tenable copyright but no information at the top about the license.
(Provided with the latest 2.2.2a version of nessus.)

There seems to be a lot of confusion over licensing, and contracting
information. For example an earlier post which asserted that nasl scripts
are "linked" to the nasl libraries, and therefore are derivative works that
must be licensed under the GPL. I'm not a lawyer but I do read Groklaw, and
I don't subscribe to that opinion. I suspect that a lot of the activity that
caused the licensing problem (i.e. what you said about companies regex-
replacing the name Tenable with their own in the copyrights) is not a result
of misunderstanding or ignorance of the GPL, but simple indifference and
downright theft. I'm sure the community will stand behind you if you register
a few of your copyrights and hit the major offenders with statutory damages
on an infringement claim ($$$$$$), if it's as blatant as you say.

But on licensing confusion - I think the current confusion would be cleared
up greatly if we had a comparison of how things will work on the three feeds.
For example:

Paid feed: Proprietery up to the minute plugins

Registered Feed: 7 day delayed paid feed relicensed under GPL. Purpose of
contract is to ensure companies understand the rules of the GPL.

GPL Feed: Same plugins as downloadable with nessus: updated occasionally from
registered feed, plus plugins donated by third parties under GPL. Also same
as running update-plugins.

Or if this is incorrect, that new plugins written by Tenable will no longer
be released with nessus versions, nor ever put on GPL feed, then this would
be good to clarify.

Now, on to the real reason I wanted to write. I noticed that the anonymous
ftp plugin, which provides a directory listing if one is available, only
registers a security warning. It seems to me that if a directory listing
is found, (or to be really fancy, found with /WINNT or /boot, or maybe has
anything besides /pub, /bin, /home, and /etc) that it should escalate to
a security hole instead.

Regrettably I cannot send these particular diffs as the copyright is owned by
a large academic entity for which I have no power to assign copyrights. And
given the current situation, I would not want to imply transfer of copyright
to anyone.

Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Sun Dec 19 2004 - 17:54:48 PST