ModSecurity Breach

ModSecurity Blog

« Integrating Vulnerability Scanners and Web Application Firewalls | Main | ModSecurity In HP-UX Internet Express »

ModSecurity Licensing Exception Draft Is Ready

As you may know, ModSecurity is licensed under GPL version 2. This licence has served us reasonably well, but there’s been one problem that has been following us for a long time. I chose to use the GPLv2 for ModSecurity, back in day, mostly in order to prevent the use of ModSecurity in proprietary derivative works. This strategy worked, but it had an unfortunate side effect of also preventing creation of open source derivative works due to the incompatibility between the Apache Software License version 2 and the GPLv2. The problem eventually caused the removal of ModSecurity from Debian.

After the GPLv3 was introduced we had an option to switch to it (the incompatibility with the ASLv2 was fixed), but doing that would require a significant investment to fully understand the new licence and the consequences of its use. (Decisions were easier to make when I was the only person making them; now there are quite a few people involved.) The fact that GPLv3 hasn’t been proven in practice does not help. At some point we realised that the path to fixing the problem was not through the licence change, but through an exception that would grant additional rights to qualifying open source projects. The exception creates additional rights for those who choose to accept it, but it does not change the licence of ModSecurity itself, which remains licensed under GPLv2. Changes and improvements to ModSecurity must still comply with the GPLv2.

Anyway, the final draft of the exception is ready: ModSecurity_Licensing_Exception_1.0-draft5.pdf . Here’s a brief overview:

  1. You want to package a web server distribution based on Apache and you want to include ModSecurity in it. The Exception allows you to do this for as long as all the components use the approved open source licences.
  2. If you make changes or improvements to ModSecurity, or write code that links with it—either directly or indirectly (e.g. through a third component)—such code must be released under GPLv2; it cannot be covered by the Exception.
  3. If you build a user interface to control the derivative work (and thus ModSecurity too) you can choose any approved open source licence for it.

The plan for now is to give you some time to send us feedback, if you wish. If everything goes well, the next stable version of ModSecurity will include the Exception too.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e5512c9d3a883300e55379a6a88834

Listed below are links to weblogs that reference ModSecurity Licensing Exception Draft Is Ready:

Great news. Not that it's a huge drag to compile from source or anything, it's just the ability to stay inside the pkg manager is a *good* thing. thank you for the effort of sorting it out and explaining it.

robt.
A Debian/Ubu user.

Uh ... a problem. "approved" is not adequately defined. I doubt Debian would consider this exception, since their possibly patched version is a derived work, and cannot transmit the exception. Bleah.

Have you read the text of the exception? The approved licences are those listed in the document. As for your second point, I don't see a problem with a derivative work continuing to use this exception.

This is great news!
Thanks for taking the time to do this!!! It would be great to have such an important software for all of us back again.

Greetings

Has this licence change been officially approved by the debian-legal folks? Was it run by them before being announced??

There seems to be a packager waiting to package this for Debian ... see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487431

Thanks for working to make this code useful to Debian and Ubuntu Linux -- I really hope the legal stuff is "good enough" so this can once again be included.

Jonathan

Jonathan,

Yes, debian-legal had a chance to review the exception long before it was used in ModSecurity. We haven't heard from them much, but my understanding is that they are fine with it.

The comments to this entry are closed.

Calendar

November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Feeds

Atom Feed

Search

Categories

Recent Entries

Archives