Re: [Clamav-devel] GPL license question

2017-01-23 Thread Joel Esler (jesler) 
I am not a lawyer, nor do I play one on TV.  Our lawyers cannot answer your 
questions, so I can’t ask them.  So my advice is to seek legal council that you 
are paying for.

That being said, you must adhere to the gplv2 with ClamAV.  There are several 
entities right now that we are aware of that are in violation of the GPLv2 for 
ClamAV.  I cannot comment on any of them.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 23, 2017, at 9:26 AM, Mark Allan 
> wrote:

Sorry to dredge up an old thread, but I'm still curious about this.

Joel, your last two replies seem to indicate that it's OK for commercial, 
closed-source applications to link against LibClamav - presumably via dynamic 
linking rather than static linking so as to maintain the distinction between 
"work that uses the library" and "work based on the library" (as per the LGPL).

That's all well-and-good, but the documentation (clamdoc.pdf) which ships with 
ClamAV 0.99.2 clearly states the following on page 25:

Libclamav is licensed under the GNU GPL v2 license. This means you are not 
allowed to link commercial, closed-source software against it. All software 
using libclamav must be GPL compliant.

So I'm wondering what's the definitive answer - is it legal for all those 
commercial closed-source applications you refer to to link against LibClamAV 
even though they're not licensed under the GPL?

If LibClamav is licensed under GPL (as the documentation suggests, and as 
stated in the source code itself), how are they allowed to do this, and which 
parts of ClamAV are covered by the LGPL?

Thanks
Mark

On 19 Sep 2016, at 2:06 pm, Joel Esler (jesler) 
> wrote:

Who is in charge of the issue = me.

Lots of people make money with ClamAV, millions and millions of dollars a 
month, and don’t give us a dime, don’t contribute code back, nor do they 
provide the detection they make back to the community.  But it’s perfectly 
legal.  Such is the nature with some Open Source products.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com 



On Sep 17, 2016, at 9:59 PM, Borough Rumford 
 
>> wrote:

Hi Joel,

You are right. It depends on how you link to clamav. But for this case, It is 
obvious that "BitMedic" links libclamav  internally and ship it on Mac app 
store. Those guys make money with clamav, it is unfair for clamav development 
team and community members. I am wondering who is in charge of this issue in 
clamav team.


Best Regards,
Patrick

On Sep 17, 2016, at 11:08 am, "Joel Esler (jesler)" 
 
>> 
wrote:

I'm not a lawyer. Nor do I play one on TV. But I am the community manager, and 
I have a lawyer that I ask my questions to, so if I really need to go to him.

That being said.

There are a ton of commercial applications that use Clam. You'd frankly be 
surprised. I still am. It depends on how you link to clamav. You can use clamav 
and parse results, things like that.

Where it gets tricky is if you modify code or do internal links to the code. 
But you can ship clamav packaged with something else, if you do it right. That 
is possible, yes.

Sent from my iPhone

On Sep 17, 2016, at 1:44 PM, Nibin V M 
 
>>> wrote:

Good question Patric. I am also noticing bunch of commercial security tools
for web hosting servers, which are directly or indirectly using ClamAV
libs/binaries so far. I have been wondering same because it shouldn't be
use that based on the docs!

On Sat, Sep 17, 2016 at 5:04 PM, Borough Rumford 
 
>>>
wrote:

Hi,

I know clamav is released under GPL license, and third-party commercial
app shouldn't link libclamav.

However I find there is one anti-virus app link libclamav directly and is
published on Mac app store.

This app is
https://itunes.apple.com/us/app/bitmedic-antivirus-malware/
id1001746820?mt=12

Below is otool result of BitMedic binary otool -L BitMedic
BitMedic:

/System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement
(compatibility version 1.0.0, current version 559.20.9)

@rpath/libclamav.6.dylib (compatibility version 8.0.0, current version
8.25.0)

/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version
168.0.0)

Re: [Clamav-devel] GPL license question

2017-01-23 Thread Mark Allan 
Sorry to dredge up an old thread, but I'm still curious about this.

Joel, your last two replies seem to indicate that it's OK for commercial, 
closed-source applications to link against LibClamav - presumably via dynamic 
linking rather than static linking so as to maintain the distinction between 
"work that uses the library" and "work based on the library" (as per the LGPL).

That's all well-and-good, but the documentation (clamdoc.pdf) which ships with 
ClamAV 0.99.2 clearly states the following on page 25:

> Libclamav is licensed under the GNU GPL v2 license. This means you are not 
> allowed to link commercial, closed-source software against it. All software 
> using libclamav must be GPL compliant.

So I'm wondering what's the definitive answer - is it legal for all those 
commercial closed-source applications you refer to to link against LibClamAV 
even though they're not licensed under the GPL?

If LibClamav is licensed under GPL (as the documentation suggests, and as 
stated in the source code itself), how are they allowed to do this, and which 
parts of ClamAV are covered by the LGPL?

Thanks
Mark

> On 19 Sep 2016, at 2:06 pm, Joel Esler (jesler)  wrote:
> 
> Who is in charge of the issue = me.
> 
> Lots of people make money with ClamAV, millions and millions of dollars a 
> month, and don’t give us a dime, don’t contribute code back, nor do they 
> provide the detection they make back to the community.  But it’s perfectly 
> legal.  Such is the nature with some Open Source products.
> 
> --
> Joel Esler
> Manager
> Talos Group
> http://www.talosintelligence.com 
> 
> 
> On Sep 17, 2016, at 9:59 PM, Borough Rumford   >> wrote:
> 
> Hi Joel,
> 
> You are right. It depends on how you link to clamav. But for this case, It is 
> obvious that "BitMedic" links libclamav  internally and ship it on Mac app 
> store. Those guys make money with clamav, it is unfair for clamav development 
> team and community members. I am wondering who is in charge of this issue in 
> clamav team.
> 
> 
> Best Regards,
> Patrick
> 
> On Sep 17, 2016, at 11:08 am, "Joel Esler (jesler)"  >> 
> wrote:
> 
> I'm not a lawyer. Nor do I play one on TV. But I am the community manager, 
> and I have a lawyer that I ask my questions to, so if I really need to go to 
> him.
> 
> That being said.
> 
> There are a ton of commercial applications that use Clam. You'd frankly be 
> surprised. I still am. It depends on how you link to clamav. You can use 
> clamav and parse results, things like that.
> 
> Where it gets tricky is if you modify code or do internal links to the code. 
> But you can ship clamav packaged with something else, if you do it right. 
> That is possible, yes.
> 
> Sent from my iPhone
> 
> On Sep 17, 2016, at 1:44 PM, Nibin V M   > >> wrote:
> 
> Good question Patric. I am also noticing bunch of commercial security tools
> for web hosting servers, which are directly or indirectly using ClamAV
> libs/binaries so far. I have been wondering same because it shouldn't be
> use that based on the docs!
> 
> On Sat, Sep 17, 2016 at 5:04 PM, Borough Rumford   > >>
> wrote:
> 
> Hi,
> 
> I know clamav is released under GPL license, and third-party commercial
> app shouldn't link libclamav.
> 
> However I find there is one anti-virus app link libclamav directly and is
> published on Mac app store.
> 
> This app is
> https://itunes.apple.com/us/app/bitmedic-antivirus-malware/
> id1001746820?mt=12
> 
> Below is otool result of BitMedic binary otool -L BitMedic
> BitMedic:
> 
> /System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement
> (compatibility version 1.0.0, current version 559.20.9)
> 
> @rpath/libclamav.6.dylib (compatibility version 8.0.0, current version
> 8.25.0)
> 
> /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version
> 168.0.0)
> 
> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
> (compatibility version 300.0.0, current version 1153.20.0)
> 
> /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version
> 228.0.0)
> 
> /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version
> 120.0.0)
> 
> /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version
> 1213.0.0)
> 
> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
> (compatibility version 45.0.0, current version 1347.57.0)
> 
>