[Clamav-devel] GPL license question

Joel Esler (jesler) jesler at cisco.com
Mon Jan 23 09:43:32 EST 2017


I am not a lawyer, nor do I play one on TV.  Our lawyers cannot answer your questions, so I can’t ask them.  So my advice is to seek legal council that you are paying for.

That being said, you must adhere to the gplv2 with ClamAV.  There are several entities right now that we are aware of that are in violation of the GPLv2 for ClamAV.  I cannot comment on any of them.

--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Jan 23, 2017, at 9:26 AM, Mark Allan <markjallan at gmail.com<mailto:markjallan at gmail.com>> wrote:

Sorry to dredge up an old thread, but I'm still curious about this.

Joel, your last two replies seem to indicate that it's OK for commercial, closed-source applications to link against LibClamav - presumably via dynamic linking rather than static linking so as to maintain the distinction between "work that uses the library" and "work based on the library" (as per the LGPL).

That's all well-and-good, but the documentation (clamdoc.pdf) which ships with ClamAV 0.99.2 clearly states the following on page 25:

Libclamav is licensed under the GNU GPL v2 license. This means you are not allowed to link commercial, closed-source software against it. All software using libclamav must be GPL compliant.

So I'm wondering what's the definitive answer - is it legal for all those commercial closed-source applications you refer to to link against LibClamAV even though they're not licensed under the GPL?

If LibClamav is licensed under GPL (as the documentation suggests, and as stated in the source code itself), how are they allowed to do this, and which parts of ClamAV are covered by the LGPL?

Thanks
Mark

On 19 Sep 2016, at 2:06 pm, Joel Esler (jesler) <jesler at cisco.com<mailto:jesler at cisco.com>> wrote:

Who is in charge of the issue = me.

Lots of people make money with ClamAV, millions and millions of dollars a month, and don’t give us a dime, don’t contribute code back, nor do they provide the detection they make back to the community.  But it’s perfectly legal.  Such is the nature with some Open Source products.

--
Joel Esler
Manager
Talos Group
http://www.talosintelligence.com<http://www.talosintelligence.com/> <http://www.talosintelligence.com/>


On Sep 17, 2016, at 9:59 PM, Borough Rumford <lmdekib7 at icloud.com<mailto:lmdekib7 at icloud.com> <mailto:lmdekib7 at icloud.com><mailto:lmdekib7 at icloud.com <mailto:lmdekib7 at icloud.com>>> wrote:

Hi Joel,

You are right. It depends on how you link to clamav. But for this case, It is obvious that "BitMedic" links libclamav  internally and ship it on Mac app store. Those guys make money with clamav, it is unfair for clamav development team and community members. I am wondering who is in charge of this issue in clamav team.


Best Regards,
Patrick

On Sep 17, 2016, at 11:08 am, "Joel Esler (jesler)" <jesler at cisco.com<mailto:jesler at cisco.com> <mailto:jesler at cisco.com><mailto:jesler at cisco.com <mailto:jesler at cisco.com>>> wrote:

I'm not a lawyer. Nor do I play one on TV. But I am the community manager, and I have a lawyer that I ask my questions to, so if I really need to go to him.

That being said.

There are a ton of commercial applications that use Clam. You'd frankly be surprised. I still am. It depends on how you link to clamav. You can use clamav and parse results, things like that.

Where it gets tricky is if you modify code or do internal links to the code. But you can ship clamav packaged with something else, if you do it right. That is possible, yes.

Sent from my iPhone

On Sep 17, 2016, at 1:44 PM, Nibin V M <nibinvm at gmail.com<mailto:nibinvm at gmail.com> <mailto:nibinvm at gmail.com><mailto:nibinvm at gmail.com <mailto:nibinvm at gmail.com>><mailto:nibinvm at gmail.com <mailto:nibinvm at gmail.com>>> wrote:

Good question Patric. I am also noticing bunch of commercial security tools
for web hosting servers, which are directly or indirectly using ClamAV
libs/binaries so far. I have been wondering same because it shouldn't be
use that based on the docs!

On Sat, Sep 17, 2016 at 5:04 PM, Borough Rumford <lmdekib7 at icloud.com<mailto:lmdekib7 at icloud.com> <mailto:lmdekib7 at icloud.com><mailto:lmdekib7 at icloud.com <mailto:lmdekib7 at icloud.com>><mailto:lmdekib7 at icloud.com <mailto:lmdekib7 at icloud.com>>>
wrote:

Hi,

I know clamav is released under GPL license, and third-party commercial
app shouldn't link libclamav.

However I find there is one anti-virus app link libclamav directly and is
published on Mac app store.

This app is
https://itunes.apple.com/us/app/bitmedic-antivirus-malware/
id1001746820?mt=12

Below is otool result of BitMedic binary otool -L BitMedic
BitMedic:

/System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement
(compatibility version 1.0.0, current version 559.20.9)

@rpath/libclamav.6.dylib (compatibility version 8.0.0, current version
8.25.0)

/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version
168.0.0)

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
(compatibility version 300.0.0, current version 1153.20.0)

/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version
228.0.0)

/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version
120.0.0)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version
1213.0.0)

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
(compatibility version 45.0.0, current version 1347.57.0)

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
(compatibility version 150.0.0, current version 1153.18.0)

/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
(compatibility version 64.0.0, current version 600.0.0)

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
(compatibility version 1.0.0, current version 62.0.0)

/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
(compatibility version 1.2.0, current version 1.10.0)

/System/Library/Frameworks/Security.framework/Versions/A/Security
(compatibility version 1.0.0, current version 57031.20.26)

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
(compatibility version 1.0.0, current version 699.1.5)



I want to know if this way used by Bitmedic is legal and other developers
can also use clamav directly in their commercial app.



Best Regards,
Patric
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml




--
Regards....

Nibin.

http://TechsWare.in
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html <http://lurker.clamav.net/list/clamav-devel.html>
Please submit your patches to our Bugzilla: http://bugs.clamav.net<http://bugs.clamav.net/> <http://bugs.clamav.net/>

http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net<http://bugs.clamav.net/>

http://www.clamav.net/contact.html#ml



More information about the clamav-devel mailing list