[Openvas-distro-deb] Future of OpenVAS plugins in Debian

Joey Schulze joey at infodrom.org
Mon Oct 26 16:31:18 CET 2009 

The Debian project (and the Free Software community) requires code to
be legally free to be included in the distribution (and upstream
tarballs respectively).  OpenVAS has been created in order to create a
free vulnerability assessment system.

As discussed a few times before there are some problems with plugins /
scripts whose copyright is unclear.  Although they have been imported
from a tarball for which the GPLv2 has been assigned as license, some
files contain notices to other licenses and/or no copyright notices.
This is a problem - at least for the Debian project.

There are some approaches to solve this dilemma:

 a) Review all scripts, fix missing copyright notes, remove non-free
    ones, commit and re-package

 b) Don't distribute any scripts at all in Debian at all but provide a
    sync script instead that will download all scripts from the online
    repository

 c) Divide scripts into dfsg-free and non-free scripts, adding all to
    the non-free package, and moving them to the free package peu á
    peu.  New free scripts will be added to the free package.


Variant a) is quite time consuming at one time.

Variant b) has the disadvantage to only have non-functional versions
of OpenVAS packaged for Debian (and derivates).  The underlying
problem isn't solved either but only moved to the OpenVAS problem7.

Variant c) has the disadvantage that - for a while at least - OpenVAS
in Debian is only useable with non-free packages.  However, the
advantage would be that the review process doesn't need to happen for
all scripts at the same time and can be done whenever a developer has
some time spare time to kill.

In my oppinion Debian should provide packages containing OpenVAS
plugins for the benefit of our users.  Even if the package in stable
own't be up-to-date with the reposistory we would be able to provide a
fully fledged and working version of OpenVAS users can install.  Thus,
I believe option c) is the best we can do for Debian.

Providing a method to automatically update local scripts from the
online OpenVAS repository would be another advantage.  We can't rely
on a working Internet connection per se, but if it is available it can
be used, of course.  Such a working update script would be an
advantage in all cases.

Regards,

	Joey

-- 
No question is too silly to ask, but, of course, some are too silly
to answer.   -- Perl book

Please always Cc to me when replying to me on the lists.

More information about the Openvas-distro-deb mailing list