[License] Ensure better attribution if used in the internet

[pombredanne]

Hi Dirk:

In https://github.com/drwetter/testssl.sh/blob/a45e9f52d54d12eb62cf9f857662bfc40fe1d83e/doc/testssl.1.md#copyright we have:

License GPLv2: Free Software Foundation, Inc. This is free software: you are free to change and redistribute it under the terms of the license. Usage WITHOUT ANY WARRANTY. USE at your OWN RISK!

If you're offering testssl.sh as a public and / or paid service in the internet you need to mention to your audience that you're using this program and where to get this program from.

and in https://github.com/drwetter/testssl.sh/blob/3.1dev/Readme.md#license we have:

This software is free. You can use it under the terms of GPLv2, see LICENSE. In addition starting from version 3.0rc1 if you're offering a scanner based on testssl.sh as a public and / or paid service in the internet you need to mention to your audience that you're using this program and where to get this program from.

I am wondering if this would additional condition would be contradicting the GPL ?

Per section 6 : https://www.gnu.org/licenses/old-licenses/gpl-2.0.html#section6 :

You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

so having an extra need to mention to your audience that you're using this program that is not part of the GPL may be a contradiction of sorts?

-- Cordially Philippe

[PhilGPk]

Although it doesn't directly address attribution, perhaps relicensing as Affero GPL would help? Then the source has to be available, along with the necessary copyright clauses. The quickest alternative is rephrasing as "please mention" so it's not strict?

[drwetter]

Hi @pombredanne ,

First : IANAL and I am thankful for pointing this out.

I just found it to be fair to mention that, maybe that is too much asking for, under this license. David spends a lot of work time on this, the time is on his employer. I am a consultant and spend/t lots of months into this too. I do not get any money in return (1) which is fine and that is how it just works.

GPL requires in any case for a program the license to be distributed and (edited: where one can get) the source code. Which helps the program getting more known and hopefully encourages people to contribute. Last but not least there were a lot of other contributions (JSON/CSV output, non-flat JSON output, client simulation, Travis/CI, HPKP, now: SSL labs rating -- just to name a few) which helped tremendously. This worked perfectly when a distributor picks it up or a even a commercial product you're installing on a server or a desktop is using it. It's getting mentioned (incl. the license) and that's cool and helps contributing.

What is maybe legitimate under GPLv2 but I consider not fair if somebody comes up with a paid service in the internet AND doesn't mention that it's using the program -- or he/she didn't ask. That was a while back. I tried to get in touch with the domain owner and IIRC via contact form a couple of times, asking to mention he's using testssl.sh but nothing came back. The website also seemed to be stale, nothing happened.

That was a reason why this line ended up there. Let me chew on the phrasing a bit. @PhilGPk 's remark was also the first thing which popped up in my mind as I read @pombredanne 's concern.

So if Affero GPL is better in that respect maybe I should look into it, thanks @ @PhilGPk . Any further helpful recommendation / expertise would be helpful. As said IANAL.

Cheers, Dirk

(1) Except amounts via paypal donate button on https://testssl.sh. But that doesn't even cover the costs for the domains testssl.sh / testssl.net.

[pombredanne]

@PhilGPk you wrote:

Although it doesn't directly address attribution, perhaps relicensing as Affero GPL would help? Then the source has to be available, along with the necessary copyright clauses.

That could work nicely, but double the AGPL as unless the code is modified or the code contains specific things for source provisioning it is not much different from the GPL IMHO see https://opensource.stackexchange.com/questions/5041/of-the-differences-between-the-gplv3-and-the-agplv3-texts-what-to-make-of-them

The quickest alternative is rephrasing as "please mention" so it's not strict?

Yes that would work too as it would no longer become a mandatory condition.

[pombredanne]

@drwetter I am not a lawyer either but I dabble a tad in FOSS licenses. I brought up the question here following some discussion on a mailing list https://lists.spdx.org/g/Spdx-legal/message/2793?p=,,,20,0,0,0::Created,,testssl.sh,20,2,0,73085652

Just to be clear I am coming purely from a license angle and I am not arguing about fairness here! I am not even a user of testssl. And cannot agree more that attribution is super important.

The AGPL may indeed be a better choice, but you would need to check the details.

[drwetter]

@pombredanne : thanks for the additional info.

While I am I happy for any helpful feedback I am not sure I can follow the pointer you gave me. What is 'LicenseRef-GPL-2.0-Web-Services-Attribution'? Is that supposed to be a suggested amendment or how should I take that?

And why doesn't GPL-2.0" [..] particularly have any precise connection to the SPDX GPL-2.0 ?

[drwetter]

Looking into the future for a possible license change: Do you (or anybody else) know of a side-by-side comparison of FLOSS licenses which would make it easier for me to piick an appropriate one?

Or something which creativecommons.org used to have: a a couple of questions in a web based menu and in the end a license was suggested?

[pombredanne]

@drwetter re:

Looking into the future for a possible license change: Do you (or anybody else) know of a side-by-side comparison of FLOSS licenses which would make it easier for me to piick an appropriate one?

Not really side-by-side but we maintain this list of many licenses https://enterprise.dejacode.com/licenses/ with tag and attributes.

Or something which creativecommons.org used to have: a a couple of questions in a web based menu and in the end a license was suggested?

These may help? I did not try them:

• https://choosealicense.com/
• https://opensource.org/faq#which-license
• https://ufal.github.io/public-license-selector/

This looks like a decent write up: https://arstechnica.com/gadgets/2020/02/how-to-choose-an-open-source-license

[pombredanne]

Also does your scanner output contain a proper attribution?

[drwetter]

Thanks for the hints, @pombredanne .

Also does your scanner output contain a proper attribution?

In the context of this issue the term proper and attribution seems kind of contradictory to me. It's mentioning its name (of course) and the license.

[spotrh]

First off, thanks for resolving this issue, license stuff is not easy and on behalf of us who have to do audits, we appreciate it!

There is one more seeming GPL license contradiction that we noticed in Fedora. In testssl.sh, it says:

# If you enclose this script or parts of it in your software, it has to
# be accompanied by the same license (see link) and the place where to get
# the recent version of this program. Do not violate the license and if
# you do not agree to all of these terms, do not use it in the first place.

The first part of that "it has to be accompanied by the same license" is fine, but the second part which says:

"and the place where to get the recent version of this program."

This seems to add a requirement for providing a link to software/sources which are not the same as the corresponding sources, and that could be construed as an additional restriction, which the GPLv2 does not permit.

A couple of ways to resolve this:

1. Remove the "and the place where to get the recent version of this program" wording.
2. Make it optional: "It is greatly appreciated (though not required) if you can also document where users can find the latest version of this program."

I'm happy to help you here if I can, please let me know. If you'd like this opened as a separate issue, I can do that as well.

[drwetter]

okay, thanks again. No need to open a separate issue. Will change that soon too.

[drwetter]

@spotrh see recent commits.

Don't know whether you just spotted it or you're responsible for the Fedora package. If the latter: There will be a for sure a 3.0.2. When: I can't tell yet, probably after fixing 2-3 more bugs. Feel free to backport the recent commit earlier.

PS: I like to leave this open for a possible license change

[spotrh]

@drwetter I am not the maintainer, I'm just the license auditor. I know the maintainer is watching this ticket though. :)

Thanks for the quick fix!

[pombredanne]

@drwetter thank you indeed :+1:

[chkr-private]

@drwetter I'm one of the maintainers of testssl in Fedora and I'm currently preparing the update to 3.0.1 (with the back-ported patches). Thank you very much for quickly addressing these two issues!

I am happy to see that a good man page is provided and I'll package it accordingly, too.

During my testing I have seen that the problematic sentence which was fixed by commit 126e5011439cc4ac6a7e48c29bca4be1b44a502d ("If you are offering ...") in the main Readme.md file is unchanged in all 3 documentation files in https://github.com/drwetter/testssl.sh/tree/3.0/doc . It would be great if the wording could be adjusted in these files, too. Thank you very much in advance!

[drwetter]

It would be great if the wording could be adjusted in these files, too. Thank you very much in advance!

done, thank you @chkr-private !

[drwetter]

FYI: by the end of the week there will be 3.0.2

[chkr-private]

@drwetter Thank you very much for fixing the doc/* files! From my side I don't see any other open items related to this issue.

Just for reference: the new release 3.0.2 is now in the testing stage in Fedora:

• https://bodhi.fedoraproject.org/updates/FEDORA-2020-037908c4fc
• https://bodhi.fedoraproject.org/updates/FEDORA-2020-fc790ba18c

[drwetter]

cool !