[Nikto-discuss] Nikto not fully GNU GPL?
sullo at cirt.net
Fri Mar 27 13:43:28 UTC 2009
Hi Jan, thanks for the question. I'll try to explain as best I can.
Is this license change intended by nikto or one of the
> Debian habits due to possible misinterpretation?
It is not a misinterpretation or a change in the Nikto license. Since
version 1.0 of Nikto, the databases (software versions, tests, etc.) have
*not* been licensed under the GPL--only the code portions are. There are a
lot of arguments for and against this and I have, at times, changed my
opinion--but the license has remained unchanged. The primary reason for the
restricted license is what I (and others) think is a pattern of abuse by
companies with regard to OSS and other "free" resources. Many places feel
that "free" (cost) means they can do *whatever* they would like with it,
including using software/data as part of their own for-profit tools or even
for direct resale. This is not the intent of the GPL, and never was my
intent with Nikto.
Someone from Debian contacted me a while ago with concerns that Nikto was in
the GPL portion of the source tree, but was not 100% compliant. I did not
change the license but offered some suggestions (such as not packaging the
databases, but allowing the user to run -update on first use), but in the
end he decided to include it in the non-free portion of their source tree.
> Background of my question is that I would like to integrate
> Nikto more tightly into OpenVAS in the way that the nikto databases
> and nikto plugins are updated via the OpenVAS feed and ultimately
> manageable via the OpenVAS-Client(s). Similar to how we support OVAL
> via ovaldi. Of course this all makes only sense if nikto remains fully
> Free Software.
Ultimately the decision on exactly how Nikto integrates with OpenVAS is in
your hands, however I fully support its integration as much and as tightly
The actual DB licenses in question read:
# This file may only be distributed and used with the full Nikto package.
# This file may not be used with any software product without written
permission from CIRT, Inc.
Since you are actually calling Nikto (I assume that hasn't changed since the
Nessus fork), condition #1 is technically satisfied. As for condtion #2... I
guess I need to better understand exactly what you have in mind, but I'm
pretty confident we can work out the issue.
Lets take the discussion off-list after this, and I'll just post back when
we have come to an agreement.
http://www.cirt.net | http://www.osvdb.org/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Nikto-discuss