Wireshark-dev: Re: [Wireshark-dev] What Wireshark base version to use for customization

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Fri, 12 Dec 2014 11:08:32 +0000


On 10 December 2014 at 20:13, John Dill <John.Dill@xxxxxxxxxxxxxxxxx> wrote:

>Message: 3
>Date: Wed, 10 Dec 2014 19:02:05 +0000
>From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
>To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
>Subject: Re: [Wireshark-dev] What Wireshark base version to use for
>       customization
>Message-ID:
>       <CALcKHKq5p0Mq_o+hbR3SdcX55522roiwUBb5ea5RFi+ysLN2Dg@xxxxxxxxxxxxxx>
>Content-Type: text/plain; charset="utf-8"
>
>On 10 December 2014 at 18:53, John Dill <John.Dill@xxxxxxxxxxxxxxxxx> wrote:
>
>>
>> >Message: 3
>> >Date: Wed, 10 Dec 2014 11:08:25 -0700
>> >From: Stephen Fisher <sfisher@xxxxxxx>
>> >To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
>> >Subject: Re: [Wireshark-dev] What Wireshark base version to use for
>> >       customization
>> >Message-ID: <20141210180825.GA29277@xxxxxxx>
>> >Content-Type: text/plain; charset=us-ascii
>> >
>> >On Wed, Dec 10, 2014 at 12:51:23PM -0500, John Dill wrote:
>> >
>> >> So what restrictions are there when you have a Wireshark plugin that
>> >> contains proprietary information (which can be of the do not export
>> >> variety) from the govt or customer and they do *not* want that
>> >> information released to the public, since Wireshark can be used as a
>> >> tool to visualize and analyze these private kinds of protocols?  If
>> >> some of that implementation leaks into the Wireshark application (like
>> >> hiding all of the unnecessary protocol cruft to make it simpler for
>> >> user to use), what are the implications?
>> >
>> >Is the proprietary information short, such as encryption keys?  A
>> >preference can be used for things like that and then only if the
>> >user's preferences file is shared will it get out.  If that's a
>> >high-risk, you could even have the dissector/plug-in do something
>> >non-stndard like reading a file for the information (but we probably
>> >wouldn't want that kind of dissector in the base source).
>>
>> The entire packet stream generated is a proprietary system on top of
>> TCP and UDP that consists of avionics data, all of which is considered
>> proprietary.  There are several hundred different packet messages that
>> contain one to several hundred data elements.
>>
>> I was curious how the license Wireshark uses applies to this scenario,
>> since I've created a DLL to process data that is also distributed to a
>> govt entity, but I'm using an open source project with a GPL license
>> to translate this data, but the source code that translates the content
>> they want to keep private.
>>
>> Regardless, there's no way I would be allowed to submit this plugin to
>> the public Wireshark repository (not without serious legal/employment
>> consequences), so maybe its a moot point to discuss.
>>
>> Best regards,
>> John D.
>>
>>
>IMHO you're contravening the licence.  When distributing you must abide by
>the licence that permits you to distribute and which requires you to make
>the source code available.

Does the license only apply to those to whom the binary has been distributed
to?  If the plugin is never publicly released, does the license imply that
only the receivers of the plugin are required to be sent the source code?
If the plugin is never seen by the public eye, does that imply that the
source code may stay private as well?

I've never been in a situation like this, so I don't quite understand the
intent of Wireshark's license for this kind of scenario.

Best regards,
John D.


What covers "distribution" requiring release of source code is discussed in the GPL FAQ (link here:http://www.gnu.org/licenses/gpl-faq.html#GPLRequireSourcePostedPublic):

======
Q: Does the GPL require that source code of modified versions be posted to the public? 

A: The GPL does not require you to release your modified version, or any part of it. You are free to make modifications and use them privately, without ever releasing them. This applies to organizations (including companies), too; an organization can make a modified version and use it internally without ever releasing it outside the organization.

But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program's users, under the GPL.

Thus, the GPL gives permission to release the modified program in certain ways, and not in other ways; but the decision of whether to release it is up to you.
======

I believe it's generally accepted that distribution to another company is a public release.

My opinion, FWIW, is that you don't need to "send" the source code only make it available on request.  However, depending on how you make the source code available to those you distribute the binaries to affects who may request the source code.  The GPL FAQ states (link here: http://www.gnu.org/licenses/gpl-faq.html#WhatDoesWrittenOfferValid):

======
Q: What does “written offer valid for any third party” mean in GPLv2? Does that mean everyone in the world can get the source to any GPL'ed program no matter what? 

A: If you choose to provide source through a written offer, then anybody who requests the source from you is entitled to receive it.

If you commercially distribute binaries not accompanied with source code, the GPL says you must provide a written offer to distribute the source code later. When users non-commercially redistribute the binaries they received from you, they must pass along a copy of this written offer. This means that people who did not get the binaries directly from you can still receive copies of the source code, along with the written offer.

The reason we require the offer to be valid for any third party is so that people who receive the binaries indirectly in that way can order the source code from you.
======

Note that the GPL places other requirements on the distributor, e.g. no downstream restrictions.  If you are not familiar with the GPL (or even if you are) you should consult the appropriate legal advisors for your jurisdiction *before* distributing a work covered by the GPL.

The intent of the Wireshark licence is that of the GPL, that is it is Free Software, see the definition from the FSF: https://www.gnu.org/philosophy/free-sw.html


--
Graham Bloice