[framework] Creating a debian package for metasploit.

[Tim Brown]

On Monday 17 December 2007 10:55:57 gaurav chaturvedi wrote:
> >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323420
>
> Oh this is sad indeed, but the dual license should be void now since
> MSF dosnt use perl. In any case there should be enough room for
> metasploit under the extra/restricted packages.
>  We can package MSF and create our own unoficial repository. If we are
> up for it, i volunteer to create the package/maintain this as a
> package.

From Metasploit Framework License v1.2 
(http://www.metasploit.com/projects/Framework/msf3/download.html):

"3. The license granted in Section 2 is expressly made subject to and 
limited by the following restrictions: 

a. You may only distribute, publicly display, and publicly perform 
unmodified Software. Without limiting the foregoing, You agree to 
maintain (and not supplement, remove, or modify) the same copyright, 
trademark notices and disclaimers in the exact wording as released by 
Developer. "

I believe that packaging it for Ubuntu and Debian would violate this clause.  
Moreover the restriction breaks Debians free software guidelines 
(http://www.debian.org/social_contract, DFSG clauses 3 and 4):

"3. Derived Works
The license must allow modifications and derived works, and must allow them to 
be distributed under the same terms as the license of the original software.

4. Integrity of The Author's Source Code
The license may restrict source-code from being distributed in modified form 
_only_ if the license allows the distribution of patch files with the source 
code for the purpose of modifying the program at build time. The license must 
explicitly permit distribution of software built from modified source code. 
The license may require derived works to carry a different name or version 
number from the original software. (This is a compromise. The Debian group 
encourages all authors not to restrict any files, source or binary, from 
being modified.)"

Ubuntu developers approached Metasploit with regard to getting changes made to 
the Metasploit license which would allow version 3 of the framework to be 
packaged, and the results of this conversation were made available in the bug 
#102212 filed on launchpad (https://bugs.launchpad.net/ubuntu/+bug/102212).

It might be possible to work around it ala make-jpkg but it looks like work to 
package it has stalled for now.  It would not AFAIK be possible to distribute 
legally any .deb of Metasploit Framework v3 as things stand.

Tim

NB, I am a Debian maintainer, but I'm not talking as one on this occasion - 
these are just my personal thoughts :).
-- 
Tim Brown
<mailto:tmb at 65535.com>