LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

DMCA

DMCA

Posted Dec 7, 2011 1:09 UTC (Wed) by ewan (subscriber, #5533)
In reply to: DMCA by cmccabe
Parent article: C|Net Download.Com accused of bundling Nmap with malware

It's GPLv2, but with some additional provisions:

No, it GPLv2 plus one exception for OpenSSL. The 'clarifications' are just information about how the authors interpret the phrase 'derived work'. Their interpretation may or may not be correct, but they're not saying that you have to accept their interpretation to get a licence, they're just telling you what it is.

I mean technically, when you run nmap on Windows, the Windows kernel is loading the nmap binary, which is an nmap-copyrighted file, and executing that binary.

You can run GPLv2 software on a proprietary OS - standard OS components are specifically exempted.

I don't think it's even possible to redefine what a "derived work" is inside your license. Isn't that a fundamental part of copyright law, defined in 17 U.S.C. ยง 101?

US law doesn't hold everywhere, of course, but you're right - the term means what it means, it cannot be redefined, and isn't being.

I'd have thought that the obvious GPL claim here would be that the file that CNet are distributing is clearly a derived work ('interesting' interpretations of that term not withstanding), and so they cannot distribute it unless they make the source to their malware available under the GPL as well.

(Log in to post comments)

DMCA

Posted Dec 7, 2011 7:18 UTC (Wed) by jku (guest, #42379) [Link]

Fyodor doesn't seem to agree with you. I have no idea how that would work but he quite clearly believes the clarifications are part of the license.

DMCA

Posted Dec 7, 2011 11:03 UTC (Wed) by Wol (guest, #4433) [Link]

The problem is that "derivative work" is NOT a legally clear term.

So this "clarification" may not stand up in a court of law, but it places distributors on clear notice as to the copyright holder's understanding of the law.

If a term is legally ambiguous, but the defendant knew up-front the interpretation the plaintiff placed on it, then the defendant cannot argue "innocent mistake". They *have* to argue "plaintiff is wrong", which is a lot harder. The "as I understand the law" defence is a lot harder if the plaintiff says "but I told you that's not the way I understand it".

Cheers,
Wol

DMCA

Posted Dec 7, 2011 10:14 UTC (Wed) by Los__D (guest, #15263) [Link]

No, it GPLv2 plus one exception for OpenSSL. The 'clarifications' are just information about how the authors interpret the phrase 'derived work'. Their interpretation may or may not be correct, but they're not saying that you have to accept their interpretation to get a licence, they're just telling you what it is.

Fyodor doesn't agree with you (even though I do):
This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't).

DMCA

Posted Dec 7, 2011 11:35 UTC (Wed) by ewan (subscriber, #5533) [Link]

Interesting, but I'd have thought the plain GPL did that just fine - the installer binary is clearly a derived work of nmap since it includes the whole thing, and can't reasonably be considered 'mere aggregation [...] on a volume of a storage or distribution medium', so the GPL would prohibit redistribution of the whole unless the other components were available under the GPL as well, which seems to be exactly what Fyodor suggests is the intended behaviour of the licence.

DMCA

Posted Dec 7, 2011 19:12 UTC (Wed) by cmccabe (guest, #60281) [Link]

> > I mean technically, when you run nmap on Windows, the Windows kernel
> > is loading the nmap binary, which is an nmap-copyrighted file, and
> > executing that binary.

> You can run GPLv2 software on a proprietary OS - standard OS components
> are specifically exempted.

Good point.

Clearly the malware needs to patch the OS somehow during the install, so that they can legally be in the clear. Microsoft toolbar / nmap parser kernel module, anyone?

People really have to learn to stop downloading from shady third-party repositories... just don't do it.

DMCA

Posted Dec 7, 2011 22:25 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Sure, people shouldn't do it, but this is just exploiting a trust relationship.

The more certain you are that organisation (or person) X won't abuse your trust of them, the more valuable it is for X to sell you out to the bad guys, or if X won't sell, the more valuable it is to impersonate X by any means necessary.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds