437474 – Nessus server package (nessus-core) violates license

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 437474 - Nessus server package (nessus-core) violates license

Summary: Nessus server package (nessus-core) violates license

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nessus-core
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Andreas Bierfert
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FE-Legal
TreeView+	depends on / blocked

Reported:	2008-03-14 13:46 UTC by Jan-Oliver Wagner
Modified:	2008-03-31 19:17 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-03-31 19:17:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan-Oliver Wagner 2008-03-14 13:46:21 UTC

Description of problem: 
The Nessus server is packaged with OpenSSL support for
current and all past Fedora releases. The license of Nessus
does not permit this.

Additional info:
In fact, the openssl exception of some Nessus modules
does not extend to the actual server:
In directory nessus-core/nessus (the client) you will find:
COPYING
COPYING.OpenSSL
while in nessus-core/nessusd (the server) you will find only:
COPYING

Naturally, it does not make much sense to configure package
without SSL support to eliminate the license problem as sensitive
information will get transferred in clear text.

BTW: this mistake was done by virtually any GNU/Linux distribution.

PS: The Nessus-fork OpenVAS (www.openvas.org) has replaced OpenSSL by
GNU/TLS and thus resolves the packaging/distribution problem.

Comment 1 Tom "spot" Callaway 2008-03-24 13:54:25 UTC

Contacted upstream to see if they can resolve the license incompatibility.

Comment 2 Tom "spot" Callaway 2008-03-31 19:17:26 UTC

I spoke to upstream, and they don't consider this a problem, because OpenSSL is
widely considered a "system library", thus, it falls under this clause in GPLv2
(there is a similar clause in GPLv3):

However, as a special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary form) with the
major components (compiler, kernel, and so on) of the operating system on which
the executable runs, unless that component itself accompanies the executable. 

Admittedly, the fact that they use the exception clause for half of their code,
but not the other half is confusing, but this is acceptable for Fedora.

Note You need to log in before you can comment on or make changes to this bug.