Debian

Bug #102212
Comment #68

Comment 68 for bug 102212

Revision history for this message

Justin M. Wray (wray-justin) wrote on 2007-08-16: Re: [needs-packaging] Metasploit Framework 3.0

#68

Let's break down the License, and see where we fall.

...

Definitions

...

c. "Enhancement" means any bug fix, error correction, patch, or other
addition to the Software that are independent of the Software and do not
require modification of the Software of the Software itself.

...

3. The license granted in Section 2 is expressly made subject to and
limited by the following restrictions:

a. You may only distribute, publicly display, and publicly perform
unmodified Software. Without limiting the foregoing, You agree to
maintain (and not supplement, remove, or modify) the same copyright,
trademark notices and disclaimers in the exact wording as released by
Developer.

...

4. You may develop Enhancements to the Software and distribute Your
Enhancements, provided that You agree to each of the following
restrictions on this distribution:

a. Enhancements may not modify, supplement, or obscure the user interface
or output of the Software such that the title of the Software, the
copyrights and trademark notices in the Software, or the licensing terms
of the Software are removed, hidden, or made less likely to be discovered
or read.

b. If you release any Enhancement to the Software, You agree to
distribute the Enhancement under the terms of this License (or any other
later-issued license(s) of Developer for the Software). Upon such
release, You hereby grant and agree to grant a non-exclusive royalty-free
right, to both (i) Developer and (ii) any of Developer's later licensees,
owners, contributors, agents or business partners, to distribute Your
Enhancement(s) with future versions of the Software provided that such
versions remain available under the terms of this License (or any other
later-adopted license(s) of Developer).

...

Online Updates

The Software includes the ability to download updates (i.e., additional
code) from Developer's server(s). These updates may contain bug fixes,
new functionality, updated Documentation, and/or Extensions. When
retrieving these updates, the Software may transmit the Software version
and operating system information from Your computer to the update server.
The server may record (store) this information, in conjunction with the
IP (global Internet Protocol) address of the user, in order to attempt to
maintain accurate end user and version statistics. By using the online
update feature, You hereby agree to allow this information to be
transmitted, recorded, and stored in any nation by or for Developer.

I pulled out only the parts that are important to the matter at hand. An unedited version of the license can be found, attached above or from the metasploit website. I have not modified any content of the license and have only "copied&pasted" the parted needed for discussion.

-----

1) Definitions, entry "c" - Indicates that bug fixes are considered an "Enhancement" (this includes patches).
2) Section 3 - a indicates that only unmodified versions of the software can be distributed.
3) Section 4 grants the right to create "Enhancements" (or patches)
4) Section 4 - a enforces that the patches do not alter, the user-interface, license, or output etc.
5) Section 4 - b states we must release the patch under the same license (The Metasploit Framework License v1.2)
6) Online Updates Section notes that some user information may be recorded

I am no lawyer by here is my feedback on the above statements:

1 - The Ruby patch, and "permissions correction" would fall under an "Enhancement"

2 - This would indicate that we cannot "distribute" the code, however when you get right down to it, Debian policies do not allow this anyway, and we instead "patch" the unmodified source. Either way this state makes it seem as if no modifications are allowed.

3 - However, this section gives the right to "patch" the code. Therefore distributing the unmodified source, and the patches should be fine.

4 - Our patches are only bug fixes, and in no way alter any of these items

5 - Ubuntu packages are released as GPL, we could in theory release the patch under The Metasploit Framework License v1.2, but currently it is included in the package, with no restrictions. This is something we should look into.

6 - I really think this should be relayed to the client, as some would want to know this up front.

-----

Maybe I am reading into this the wrong way, I am not sure, any comments?

Thanks,
Justin M. Wray

Let's break down the License, and see where we fall.

...

Definitions

...

c. "Enhancement" means any bug fix, error correction, patch, or other 
addition to the Software that are independent of the Software and do not 
require modification of the Software of the Software itself.

...

3. The license granted in Section 2 is expressly made subject to and 
limited by the following restrictions:

a. You may only distribute, publicly display, and publicly perform 
unmodified Software. Without limiting the foregoing, You agree to 
maintain (and not supplement, remove, or modify) the same copyright, 
trademark notices and disclaimers in the exact wording as released by 
Developer.

...

4. You may develop Enhancements to the Software and distribute Your 
Enhancements, provided that You agree to each of the following 
restrictions on this distribution:

a. Enhancements may not modify, supplement, or obscure the user interface 
or output of the Software such that the title of the Software, the 
copyrights and trademark notices in the Software, or the licensing terms 
of the Software are removed, hidden, or made less likely to be discovered 
or read.

b. If you release any Enhancement to the Software, You agree to 
distribute the Enhancement under the terms of this License (or any other 
later-issued license(s) of Developer for the Software). Upon such 
release, You hereby grant and agree to grant a non-exclusive royalty-free 
right, to both (i) Developer and (ii) any of Developer's later licensees, 
owners, contributors, agents or business partners, to distribute Your 
Enhancement(s) with future versions of the Software provided that such 
versions remain available under the terms of this License (or any other 
later-adopted license(s) of Developer).

...

Online Updates

The Software includes the ability to download updates (i.e., additional 
code) from Developer's server(s). These updates may contain bug fixes, 
new functionality, updated Documentation, and/or Extensions. When 
retrieving these updates, the Software may transmit the Software version 
and operating system information from Your computer to the update server. 
The server may record (store) this information, in conjunction with the 
IP (global Internet Protocol) address of the user, in order to attempt to 
maintain accurate end user and version statistics. By using the online 
update feature, You hereby agree to allow this information to be 
transmitted, recorded, and stored in any nation by or for Developer.

I pulled out only the parts that are important to the matter at hand.  An unedited version of the license can be found, attached above or from the metasploit website.  I have not modified any content of the license and have only "copied&pasted" the parted needed for discussion.

-----

1) Definitions, entry "c" - Indicates that bug fixes are considered an "Enhancement" (this includes patches).
 2) Section 3 - a indicates that only unmodified versions of the software can be distributed.
 3) Section 4 grants the right to create "Enhancements" (or patches)
 4) Section 4 - a enforces that the patches do not alter, the user-interface, license, or output etc.
 5) Section 4 - b states we must release the patch under the same license (The Metasploit Framework License v1.2)
 6) Online Updates Section notes that some user information may be recorded

I am no lawyer by here is my feedback on the above statements:

1 - The Ruby patch, and "permissions correction" would fall under an "Enhancement"

2 - This would indicate that we cannot "distribute" the code, however when you get right down to it, Debian policies do not allow this anyway, and we instead "patch" the unmodified source.  Either way this state makes it seem as if no modifications are allowed.

3 - However, this section gives the right to "patch" the code.  Therefore distributing the unmodified source, and the patches should be fine.

4 - Our patches are only bug fixes, and in no way alter any of these items

6 - I really think this should be relayed to the client, as some would want to know this up front.

-----

Maybe I am reading into this the wrong way, I am not sure, any comments?

Thanks,
Justin M. Wray