Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?

To: Richard Laager <rlaager@debian.org>
Cc: debian-legal@lists.debian.org
Subject: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
From: Michael Lustfield <michael@lustfield.net>
Date: Tue, 27 Feb 2024 02:02:09 -0600
Message-id: <[🔎] 20240227020209.61165d84@mikepc41.lustfield.net>
In-reply-to: <[🔎] 289cbcc8-b557-4ddb-af75-57309e88232f@debian.org>
References: <[🔎] MN0PR19MB5948667200D8E3E4539CCF769B5A2@MN0PR19MB5948.namprd19.prod.outlook.com> <[🔎] 289cbcc8-b557-4ddb-af75-57309e88232f@debian.org>

On Mon, 26 Feb 2024 14:59:48 -0600
Richard Laager <rlaager@debian.org> wrote:

> On 2024-02-26 11:49, Thomas Ward wrote:
> [...]
> 
> So, in effect, Maxim seems to have wanted F5 to either NOT publish a 
> security vulnerability for their commercial product, knowing their 
> customers/users had this code in production, or to issue a CVE for the 
> commercial product but not the underlying OSS project with the exact 
> same code. Neither of those makes any sense to me.
> 

I wanted to believe there was something deeper going on that would eventually
be exposed, but this really seems to be the root of it. One particular
developer was expecting that they'd get to say what is and is not a
vulnerability and they didn't like that reality was different.

In this particular case, the policy that was being followed was extremely clear
and there was very little room for interpretation.

> > So, before I follow through with Debian packaging (which would be 
> > synced to Ubuntu downstream), may I get the opinion of debian-legal on 
> > whether there’s any copyright or trademark violation concerns that 
> > exist before I pursue getting this into Debian?
> >  
> I'm not a lawyer, but it sure seems like an obvious trademark problem to 
> me. In my opinion, Maxim really should pick a brand new name if he's 
> serious about this as an ongoing project.

Everything I've seen so far screams copyright violation. The website even
started as a verbatim copy/paste of the original, with just the logo and name
changed in only a few places. Even now, it's basically just a copy/paste with a
reset feed ... heck, it still has "nginx news" up in the title on the front
page.

At this point, even if they were to find/replace, the proper copyright holder
will have a claim to be made against the squatting that took place.

From my perspective, it sure looks like they're trying to hostilely squat the
name for as long as they can while pushing out a replacement with a similar
name, currently offering nothing but the assurance of fewer CVEs.

This is one hot potato I would recommend staying far away from.
-- 
Michael Lustfield

Reply to:

References:
- "freenginx" open source package and "nginx" from F5 open source, potential conflict?
  - From: Thomas Ward <teward@thomas-ward.net>
- Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
  - From: Richard Laager <rlaager@debian.org>

Prev by Date: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Next by Date: Re: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Previous by thread: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Next by thread: Re: Re: "freenginx" open source package and "nginx" from F5 open source, potential conflict?
Index(es):
- Date
- Thread