

Delve Labs forks the now Non-Free WPScan WordPress vulnerability scanner - initnull
https://www.delvelabs.ca/robbed-gunpoint/

======
belorn
There has been some recent changes to the license of wpscan, which is not
obvious from reading the article.

Initially, wpscan was licensed purely under gplv3.

On 26 Sep 2014, the 2.5 release of wpscan changed the license to a self-
described dual-license scheme where noncommercial could still use GPLv3, and
commercial use had to use a commercial license. GPLv3 permits you to remove
any addition constraints, so license text and projects intent clearly
conflicts.

Yesterday the license was changed again to a newly created license called
WPScan Public Source License. It is similar to Creative Commons Non-Commercial
which is commonly defined as non-free, non-open-source license. It is
incompatible with all version of GPL.

~~~
stgraber
Right and it seems unlikely that either license change happened with consent
from all contributors up to that point, so as the project doesn't have a CLA
and the copyright of the individual contributions remains with their original
author, those relicensing weren't legal.

------
th0br0
Just looking at the list of contributors, I'm wondering whether they got
permission from each of those to relicense the codebase. (Did they do that
when they "non-commercialized" their vulnerability db? Can't really find a
notion of that in the issue #435)

EDIT: Just saw their "6\. Contributions" clause... IANAL but I don't think
that that is enforcable, esp. not without having a CLA.

------
tshtf
What's the issue?

1\. Delve Labs has commercial scanners ([https://www.delvelabs.ca/warden-
scanner/](https://www.delvelabs.ca/warden-scanner/) and
[https://www.delvelabs.ca/warden-pro/](https://www.delvelabs.ca/warden-pro/))
which bundle wpscan.

2\. Delve Labs chose not to pay for the commercial license for wpscan
([https://github.com/wpscanteam/wpscan](https://github.com/wpscanteam/wpscan))

3\. Delve Labs clearly falls under the "Commercialization" clause of the new
wpscan license

It seems to me like commercial products that take a free ride on dual-licensed
GPL products should just pay the fee.

~~~
p8952
It seems more like:

1\. Delve Labs has commercial scanners which bundle but do not link with
WPScan.

2\. WPScan, previously licensed under the GPL, introduce a commercialization
clause in addition to the GPL.

Side Note. WPScan may not have the right to do this because they do not use
copyright attribution. Without this they need permission from everyone who has
ever contributed code to their project.

3\. WPScan demand money from Delve Labs.

4\. Delve Labs make a fork from a point before WPScan introduced the
commercialization clause. They keep this version licensed under the GPL.

~~~
harwoodr
Yep. I think the WPScan guy doesn't understand how the GPL works... and seems
to think that having a "wrapper" around it for commercial/non-commercial
somehow lets him circumvent the GPL intent.

Forking the code from before the license change is an excellent way to keep
free software free - and yes, I think he'll have to get permission from every
prior contributor before he can legally change the license.

