Wireshark · Ethereal-dev: Re: [Ethereal-dev] Ethereal Distribution/Legal Question

[Dave Shawley <daveshawley@xxxxxxxxxxx>]

On Aug 31, 2004, at 3:45 PM, Jerry Talkington wrote:

> On Tue, Aug 31, 2004 at 05:20:47PM +0000, daveshawley@xxxxxxxxxxx 
> wrote:
> > Hello again,
> >
> > I raised this question about a year or so ago on this list. Now that 
> > I have
> > some time to look into it again, I was wondering what exactly are the 
> > terms
> > of distributing Ethereal (as-is) and also distributing plug-in 
> > dissectors for
> > various protocols. I am asking this question because my employer 
> > would like
> > to distribute Ethereal on our distribution disks so that our field 
> > engineers
> > have access to such a fine tool.
>
> If you are only distributing it within your organization, then you can 
> make
> whatever changes you want without releasing anything.  When you
> redistribute outside of your organization (e.g. to customers or
> contractors,) then you must make the original source code and any
> changes available (including the source to your plugin, since it seems
> that the required file plugins/plugin_api.h is required, which is
> GPL'd.)

That is our current plan. The source code for all of our dissectors will
be made available. Even though it is going to be distributed as an
internal tool, there is always the chance of an ex-employee or customer
getting their hands on it (see below).

> > In my original post, I was assuming that we were not going to be able 
> > to
> > make the source code to our dissectors available. Now that we are 
> > revisiting
> > the issue, [they] have decided that it is probably permissible to 
> > make the
> > source code for some of our internal dissectors available upon 
> > request. The
> > tool will be made available on our distribution disks which are 
> > generally only
> > used by our internal personnel; however, the customer has a copy of 
> > the
> > disks so they should be considered recipients of the package as well 
> > - hence
> > my employer's concern about exposing [possibly] proprietary protocols.
> > (Please don't flame me to hard here... I'm just a software engineer 
> > and,
> > believe it or not, there are a large number of closed protocols and 
> > networks
> > out there.)
>
> You can't just "make the source available."  You have to make the 
> source
> available *under the GPL*.

That was the intention. The source will be made available either upon
request or via an FTP server *and* it will be placed under the auspices
of the GPL.

> > I guess what it really comes down to is: "what source code must be 
> > made
> > available?" My interpretation of the license is that we have to 
> > retain the
> > various notices as well as make our distributed dissectors available 
> > in source
> > form. This does not include our core products... correct? Our intent 
> > is to use
> > Ethereal as a diagnostic tool only - it is not being added to our 
> > product line
> > to provide an enhanced feature or anything like that.
>
> If you distribute an executable version, then you need to make the
> source for that version available.  AFAICT, since it's still available
> on ethereal.com, it's available to whomever you distribute (the
> unmodified version) to.  If you add code, then distribute an executable
> to someone outside your organization, then you must make that code GPL.

Understood. When I originally examined this issue our management 
decided that
we weren't going to disclose any of our code hence we never distributed
Ethereal or our plug-ins. However, after reexamining the issue again, I 
think
that we are going to distribute Ethereal with GPL'd dissectors for a 
select
set of protocols. I don't know if we will publish the dissectors back 
into
the code branch or not - still have to make that decision.

> > Any thoughts are appreciated. Having a network analyzer available on 
> > our
> > servers would make my job much, much easier.
>
> You can always distribute the unmodified version to customers and SEs 
> to
> capture the data, then use a version that actually decodes those
> protocols internally for analysis.  You could also give a modified
> version to your SEs, but then it's only a matter of time before an SE
> trying to make his quarterly quota give it to a customer to try to
> garner favor ;)  At that point you are just asking to get sued by the
> EFF.

This is similar to what we are currently doing. Whenever an issue comes
up that really warrants the use of a packet sniffer, we have an FE
install Ethereal from the default distribution, capture packets, and
send the binary capture file back to an engineer. Then we (the 
engineers)
dissect away with our own little custom dissectors. It is a bit of a
pain for the engineers, but we haven't really had a choice previously.

> --
> GPG public key:
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9D5B8762
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev

Thanks for your prompt response. With any luck will will publish our
protocol dissectors back into the Ethereal tree to extend the protocol
coverage a little more :-)

Dave.
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT dpu-(---) s:- a- C++++$ UBM+++ P+++(++++) !L E--- W-- N++(+++)
o? K? w--- O M+ V- PS+++ PE Y+>++ PGP@ t+() 5 X+ R+ tv@ b+>++ DI++++
D--- G e++>+++ h(*) r+++ y+++
------END GEEK CODE BLOCK------