Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Nessus server package (nessus-core) violates license|
|Product:||[Fedora] Fedora||Reporter:||Jan-Oliver Wagner <jan-oliver.wagner>|
|Component:||nessus-core||Assignee:||Andreas Bierfert <andreas.bierfert>|
|Status:||CLOSED NOTABUG||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-03-31 15:17:26 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Jan-Oliver Wagner 2008-03-14 09:46:21 EDT
Description of problem: The Nessus server is packaged with OpenSSL support for current and all past Fedora releases. The license of Nessus does not permit this. Additional info: In fact, the openssl exception of some Nessus modules does not extend to the actual server: In directory nessus-core/nessus (the client) you will find: COPYING COPYING.OpenSSL while in nessus-core/nessusd (the server) you will find only: COPYING Naturally, it does not make much sense to configure package without SSL support to eliminate the license problem as sensitive information will get transferred in clear text. BTW: this mistake was done by virtually any GNU/Linux distribution. PS: The Nessus-fork OpenVAS (www.openvas.org) has replaced OpenSSL by GNU/TLS and thus resolves the packaging/distribution problem.
Comment 1 Tom "spot" Callaway 2008-03-24 09:54:25 EDT
Contacted upstream to see if they can resolve the license incompatibility.
Comment 2 Tom "spot" Callaway 2008-03-31 15:17:26 EDT
I spoke to upstream, and they don't consider this a problem, because OpenSSL is widely considered a "system library", thus, it falls under this clause in GPLv2 (there is a similar clause in GPLv3): However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. Admittedly, the fact that they use the exception clause for half of their code, but not the other half is confusing, but this is acceptable for Fedora.