The community is buzzing over the story that Fyodor won't let SCO distribute his application, Nmap, any longer. Yes, Nmap is yet one more GPL product that SCO continues to distribute with its offerings.
Plenty of questions and some controversy about this move by Fyodor, so what exactly did he announce and can he do it? I held off writing about it in order to try to reach Fyodor, so he could answer some questions, but my Inbox is overflowing from everyone but Fyodor, so I'll tell you what I know so far, subject to Fyodor possibly providing further clarifying information. I'll explain how the GPL works and what triggers a termination of the license. It's at moments like this that I am so glad I attended the GPL seminar. Here's what I learned and how I think it applies.
First, this isn't a case of "discrimination", of refusing to allow a certain entity or group to use a GPLd product because you don't like them, although clearly he doesn't like SCO. I've seen criticism that what he is doing might violate the standards for Open Source on that grounds, but what he announced isn't exactly that, though the effect is almost the same. What he is saying is that SCO has violated the GPL Section 4 and therefore have no license to distribute his work any longer.
Nmap, for any who don't know, is a very famous security application. If you saw the Matrix movie, "The Matrix Unloaded", you saw it on the screen, and there is a picture of that on the Nmap website. It has been in other movies too and it is highly regarded throughout the tech world. Fyodor's website tells us this:
"Nmap has been named 'Security Product of the Year' by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It has also been praised by Wired, Information Security, BBC, Network World, Slashdot, 2600, SANS, Info World, Microsoft, Computer World, Sun World, Phrack, and more. At least three movies have featured Nmap, including Battle Royale, HaXXXor Vol. 1, and some Sci-Fi flick."
The Sci-Fi flick he mentions is the Matrix movie:
"Nmap was featured in The Matrix Reloaded! We have all seen many movies like Hackers which pass off ridiculous 3D animated eye-candy scenes as hacking. So I was shocked to find that Trinity does it properly in The Matrix Reloaded. She whips out Nmap version 2.54BETA25, uses it to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 exploit from 2001. Shame on them for being vulnerable (timing notes). Congratulations to everyone who has helped make Nmap successful!"
So, what exactly happened? If you go to www.insecure.org you find a simple announcement:
"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 3.50 from http://www.insecure.org/nmap/ .
"Nmap ('Network Mapper') is an open source utility for network exploration or security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, including Linux/BSD/Mac OS X, and Windows. Both console and graphical versions are available.
"Changes from version 3.00 to 3.50 are extensive: Service/Version detection, IPv6, much better remote OS detection, Mac OS X and improved Windows support, NmapFE overhaul, substantial code restructuring and improvements, cleaner output, an OS classification system, ping scans using UDP, multiple ports, and multiple techniques in parallel, port zero scans, TTL control, packet tracing, and much more! We recommend that all current users upgrade."
When you go to see the list of the changes, nestled in the list of bug fixes and new features, you find this:
"SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken to an extortion campaign of demanding license fees from Linux users for code that they themselves knowingly distributed under the terms of the GNU GPL. They have also refused to accept the GPL, claiming that some preposterous theory of theirs makes it invalid (and even unconstitutional)! Meanwhile they have distributed GPL-licensed Nmap in (at least) their 'Supplemental Open Source CD'. In response to these blatant violations, and in accordance with section 4 of the GPL, we hereby terminate SCO's rights to redistribute any versions of Nmap in any of their products, including (without limitation) OpenLinux, Skunkware, OpenServer, and UNIXWare. We have also stopped supporting the OpenServer and UNIXWare platforms."
So, that is what he has done. He is opting to no longer support SCO products, which he is absolutely free to do. If you aren't a programmer and you wonder what difference that would make, take a look at the list of changes and fixes on the detailed changes page, the changelog:
- Fixed (I hope) some Solaris Sune ONE compiler compilation problems reported (w/patches) by Mikael Mannstrom (candyman(a)penti.org)
- Fixed the --with-openssl configure option for people who have OpenSSL installed in a path not automatically found by their compilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) for the patch.
- Made some portability changes for HP-UX and possibly other types of machines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com)
- Applied a patch from Matt Selsky (selsky(a)columbia.edu) which fixes compilation on some Solaris boxes, and maybe others. The error said "cannot compute sizeof (char)"
- Applied some patches from the NetBSD ports tree that Hubert Feyrer (hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSD Nmap ports page is at http://www.NetBSD.org/packages/net/nmap/ .
That is just a brief snip from the list, but it is enough to show you that without his cooperation, a number of companies would have difficulties. Making software work well for various companies is one of the services the community provides. Fyodor is saying now that if he were to get a request to fix something or do something for SCO, his answer will be no. He has no legal duty to provide such a service to SCO or any other company, something any company desiring to attack the community and the GPL would be well-advised to consider.
The other thing he is doing is notifying SCO that he feels that their public repudiation of the GPL indicates that they do not accept the terms of his chosen license. Unless they accept the terms of the GPL, they have no right to distribute his GPLd work, which is only available to them or to anyone under those terms. That's his message to SCO.
What happens if there is a violation of the GPL? Section 4 of the GPL is its termination clause and what gives it teeth, and in the handout from the seminar, here's a description:
"The GPL is a Free Software license with legal teeth. Unlike licenses like the X11-style or various BSD licenses, GPL (and by extension, the LGPL) is designed to defend as well as grant freedom. . . .
"Termination Begins Enforcement
"As a copyright license, GPL governs only the activities governed by copyright law -- copying, modifying and redistributing computer software. Unlike most copyright licenses, GPL gives wide grants of permission for engaging with these activities. Such permissions continue and all parties may exercise them until such time as one party violates the terms of GPL. At the moment of such a violation (i.e., the engaging of copying, modifying or redistributing in ways not permitted by GPL) Section 4 is invoked. While other parties may continue to operate under GPL, the violating party loses their rights.
"Specifically, Section 4 terminates the violators' rights to continue engaging in the permissions that otherwise granted by GPL. Effectively, their permissions go back to the copyright defaults -- no permission is granted to copy, modify, nor redistribute the work. Meanwhile, Section 5 points out that if the violator has no rights under GPL -- as they will not once they have violated it -- then they otherwise have no rights and are prohibited by copyright law from engaging in the activitiees of copying, modifying and distributing."
Now we don't know if Fyodor has been engaged in discussions with SCO and this is the culmination of failed negotiations or if this is the opening round, but it could be that he is setting himself up to take some enforcement steps.
I know you want me to tell you if his grounds for invoking Section 4 are sufficient. But I can't. I don't have enough facts before me. Nmap is not part of the kernel, so charging a license fee for use of the kernel wouldn't be a GPL violation that would involve Nmap. However, it is conceivable that he is of the belief that SCO's assertion of copyright or "derivative works" rights over Linux constitutes a claim that they might make against him, so he is taking prophylactic action by cutting their distribution rights.
Or, he may be of the belief that their public repudiation of the GPL constitutes a refusal to accept the license, and he would like them to assert their acceptance of the GPL or stop distributing his product, which is only available under that license. In other words, he may be calling their bluff, forcing them to say if they do or do not accept the terms of the GPL. We don't know what violations of the GPL he precisely sees in their Open Source CD. If there are such, enforcement actions are inevitable, and not just from Fyodor.
One thing I do like about what Fyodor is doing. He is highlighting their hypocrisy. They are bundling GPL products into their offerings and presumably making money from doing so. If they don't accept the GPL as being valid, it is surely inappropriate for them to distribute GPLd products. And there is, if not legal weight, at least moral weight to that argument. Deeper, Section 5 does say that if you don't accept the GPL, you can't copy, modify, or distribute the code, because it is your only license to do those things that copyright law forbids you otherwise to do without permission, which Fyodor just indicated he doesn't grant. If SCO persists in distributing, presumably the next step could be an action for copyright infringement. Note the language of the GPL's Section 4 and 5:
"4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
"5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it."
It's also possible he just got fed up and in all honesty, who can blame him? It must be galling to watch the company make money from your work, pay you nothing, and at the same time attack the copyright license you have chosen and that they are benefitting from. His legal theory might be innovative and might not stand, but frankly, in this crazy SCOland, has that ever stopped SCO?