[Snort-sigs] rules licensing (slightly off-topic pondering)
mkettler at ...189...
Thu Sep 11 13:48:03 EDT 2003
At 07:20 PM 9/10/2003 +0200, Milani Paolo wrote:
>if free-ids.org develops a new opensource ids software that can read snort
>syntax, can he ship snort rule files with it? does this force him to go
>GPL for his entire project (rather than use some other free software license)
Well, I'm unsure if the rules are GPL licensed or some other license,
however I'm going to assume that they are for the purpose of this
discussion. It's somewhat implied that they are, but not explicitly stated,
someone from Sourcefire would have to clarify this point.
Disclaimer in advance: I'm neither a lawyer, nor a copyright holder of
snort. If you want an authoritative answer, ask a lawyer and/or someone
from Sourcefire. I'm just pontificating, and don't mistake me as knowing
what I'm talking about.
Overall, my best suggestion is to try to get an answer about your specific
situation from Sourcefire. Clearly if they say they have no problem with
it, you're not likely to have any problems. If they have objections, try to
work something out with them which isn't objectionable and still within
reason. By and large they're pretty reasonable people.
As for the facts, I can only answer the distribution part of your question.
It is quite common practice to have a GPL piece of software, compiled as a
stand-alone binary from publicly available source code, be called upon by a
separate closed source application. A large number of commercial embedded
tools use GCC as a complier back-end (for example Wind River's VxWorks).
However, said closed-source is really a completely separate entity ie: not
linked to the code in any way, merely calling the OS's exec functions to
make GCC run. Also RedHat ships CD's containing packages with a wide
variety of licenses, not just GPL, and not all compatible with GPL.
Hence, merely distributing a GPL product does not require all products
distributed to be GPL, even if the products are distributed together, and
even if one uses the output of another, as long as they are separate
entities. That's pretty well established. The GPLed items still need GPLish
treatment, but that doesn't inherently require GPL treatment of separate
binaries shipped at the same time.
It's a bit unclear if the snort rule files are considered a separate item
under the GPL, if they are even GPL licensed in the first place. However,
if you can find the answer to that, the above should hold true. My
instinctive feel is that it would be hard to claim that the rule files are
somehow a part of the program that reads them, thus can be considered a
stand-alone element if they are GPLed. Doing something involving linking
the entire textfiles directly into your binary executable could probably
cause it to be considered single entity, but I can't imagine why anyone
would do that in the first place. However, I'm not in a position to give a
"real" answer on this, and that's strictly an opinion with no relative
weight or authority.
More information about the Snort-sigs