Debian

Bug #102212
Comment #66

Comment 66 for bug 102212

Revision history for this message

Justin M. Wray (wray-justin) wrote on 2007-08-16: Re: [needs-packaging] Metasploit Framework 3.0

#66

Welcome back Alessandro, I noticed you did package MSF as well, so I hope that I haven't stepped on your toes.

I have been reviewing the licenes as well. Have a look at: http://framework-mirrors.metasploit.com/documents/RELEASE-3.0.txt

The part that stands out -

* Metasploit is now released under the Metasploit Framework License.
This license allows anyone to use the framework for almost anything,
but prevents commercial abuse and outright code theft. The Metasploit
Framework License helps keep the platform stable and still allows
module developers to choose their own licensing terms for their code
(commercial or open source). For more information, please see the
license document included in the distribution.

It is clear that Metasploit LLC is attempting to protect the work from being used to re-create a "metasploit clone" and more importantly be altered and sold. But I do not really think the idea is to keep anyone from packaging the application, as long as the license stays intact and the "core" code isn't altered. We are not changing any code or functions in anyway. Only correcting the Ruby path (thats the patch that is mentioned). I would honestly like clarification from the Metasploit developer's as to what is "legal" and not.

Now lets just say the end result is the code cannot be altered in any way, including our patches to the Ruby path, and file permissions. How will Debian (or Ubuntu) handle the resulting package? Obviously it will build, and work, but will have a hefty linda/lintian output, and break a few policies. Then again this is going to multivers anyway...

From: http://www.ubuntu.com/community/ubuntustory/components

"multiverse" component

The "multiverse" component contains software that is "not free", which means the licensing requirements of this software do not meet the Ubuntu "main"
Component Licence Policy.

The onus is on you to verify your rights to use this software and comply with the licensing terms of the copyright holder.

This software is not supported and usually cannot be fixed or updated. Use it at your own risk.

So it is clear that Ubuntu is far more lenient with multiverse packages. The package still functions without the "Ruby" patch or the permission correction. It would just be a rather bad package.

The best chance we have is to make the minor changes to the source from the patches mentioned. This will also give us the best package possible.

Thanks,
Justin M. Wray

Welcome back Alessandro, I noticed you did package MSF as well, so I hope that I haven't stepped on your toes.

I have been reviewing the licenes as well.  Have a look at:  http://framework-mirrors.metasploit.com/documents/RELEASE-3.0.txt

The part that stands out -

* Metasploit is now released under the Metasploit Framework License.
 This license allows anyone to use the framework for almost anything,
 but prevents commercial abuse and outright code theft. The Metasploit
 Framework License helps keep the platform stable and still allows 
 module developers to choose their own licensing terms for their code
 (commercial or open source). For more information, please see the
 license document included in the distribution.

It is clear that Metasploit LLC is attempting to protect the work from being used to re-create a "metasploit clone" and more importantly be altered and sold.  But I do not really think the idea is to keep anyone from packaging the application, as long as the license stays intact and the "core" code isn't altered.  We are not changing any code or functions in anyway.  Only correcting the Ruby path (thats the patch that is mentioned).  I would honestly like clarification from the Metasploit developer's as to what is "legal" and not.

Now lets just say the end result is the code cannot be altered in any way, including our patches to the Ruby path, and file permissions.  How will Debian (or Ubuntu) handle the resulting package?  Obviously it will build, and work, but will have a hefty linda/lintian output, and break a few policies.  Then again this is going to multivers anyway...

From:  http://www.ubuntu.com/community/ubuntustory/components

"multiverse" component

The "multiverse" component contains software that is "not free", which means the licensing requirements of this software do not meet the Ubuntu "main" 
     Component Licence Policy.

The onus is on you to verify your rights to use this software and comply with the licensing terms of the copyright holder.

This software is not supported and usually cannot be fixed or updated. Use it at your own risk.

So it is clear that Ubuntu is far more lenient with multiverse packages.  The package still functions without the "Ruby" patch or the permission correction.  It would just be a rather bad package.

The best chance we have is to make the minor changes to the source from the patches mentioned.  This will also give us the best package possible.

Thanks,
Justin M. Wray