Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nessus Closes Source

CmdrTaco posted more than 8 years ago | from the say-it-ain't-so dept.

Security 394

JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.

cancel ×

394 comments

Sorry! There are no comments related to the filter you selected.

GPL Considered Dangerous? (4, Informative)

(1+-sqrt(5))*(2**-1) (868173) | more than 8 years ago | (#13734137)

To that end, I've become an early adopter of the Artistic License 2.0 [perl.org] , Perl 6's upcoming license. From the preamble:
This copyright license states the terms under which a given free software Package may be copied, modified and/or redistributed, while the Originator(s) maintain some artistic control over the future development of that Package (at least as much artistic control as can be given under copyright law while still making the Package open source and free software).

GPL Kool-aid (1, Interesting)

Liselle (684663) | more than 8 years ago | (#13734142)

"A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that."
Call me crazy, but since they can close the source, doesn't that mean they can release the source under a license that doesn't have this loophole? Barring that, they can roll their own. I guess maybe this is some kind of "magic loophole" that their lawyers are powerless to prevent.
"...they were reaping no benefit from using the GPL."
Free as in beer is cool and all that, but if one excuse for dumping GPL is that they aren't getting any benefits in the way of free code, I guess they weren't really drinking the Kool-aid in the first place, eh?

Re:GPL Kool-aid (5, Insightful)

Mr. Underbridge (666784) | more than 8 years ago | (#13734179)

Free as in beer is cool and all that, but if one excuse for dumping GPL is that they aren't getting any benefits in the way of free code, I guess they weren't really drinking the Kool-aid in the first place, eh?

That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.

I agree, though, they could have written a license that gave other companies the right to reuse the code for non-commercial uses only, and that would have been a better compromise.

Re:GPL Kool-aid (2, Informative)

Philip K Dickhead (906971) | more than 8 years ago | (#13734244)

It is a plot.

Along with the MOSSAD aquisition of Snort/Sourcefire.

Free as in Kool-aid (5, Funny)

Thud457 (234763) | more than 8 years ago | (#13734473)

Is this Kool-aid free as in beer or free as in openCola?

Re:GPL Kool-aid (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13734267)

they kept giving and the competition kept taking. The community didn't give back.

Heh, every once in a while I think, "I should really contribute something to the OSS community because their efforts have helped my business so much." It's usually followed by, "Nah, I need to concentrate on keeping my business alive."

Re:GPL Kool-aid (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13734280)

The problem there is that there's no way to police compliance in an effective manner with the vast number of places trying to sell their own network scanning box.

I applaud Tenable Security for making a decision to support a business model that works instead of one that doesn't.

The choice was probably about cost... (4, Insightful)

lullabud (679893) | more than 8 years ago | (#13734374)

Choice 1) Pay (a likely non-existent) legal team huge amounts of cash to come up with a new license that is legally sound in all of the respects that need to be accounted for in their position.

Choice 2) Close source code.

Seems to make sense to me...

Re:GPL Kool-aid (1, Insightful)

johnnyb (4816) | more than 8 years ago | (#13734427)

I think that they never understood the _point_ of free software. The point of free software is not the $0 price tag, it is the _freedom_ that it brings. It isn't shared access to the CVS repository, it is the freedom for the customer to be independent of the vendor.

Let's look at a better compromise in terms of the _actual_ goals of the GPL:

1) keep the CVS repository to yourself
2) never give out the software for free, EVER
3) primarily provide the software as part of a larger turn-key system
4) keep the GPL license

This means that no matter what, their competition is ALWAYS a step behind them release-wise. It also means that their competition is a paying customer. This means, if the ripper-offers are still causing them trouble, they can just up the price -- after all, it would wind up that the ripper-offers would be the ones paying, not the end customers, so they would be paying for development, not software.

Basically, it is not free-software nor the GPL to blame necessarily, but free software done stupidly.

Re:GPL Kool-aid (1)

eric76 (679787) | more than 8 years ago | (#13734434)

they could have written a license that gave other companies the right to reuse the code for non-commercial uses only, and that would have been a better compromise.

Kind of like Trolltech's license approach for Qt.

Re:GPL Kool-aid (5, Insightful)

massysett (910130) | more than 8 years ago | (#13734467)

I suppose everyone is entitled to his understanding of the purpose of the GPL, but it was not my understanding that the GPL is about having a community make free improvements to one's software. My understanding is that the GPL is about giving users freedoms, not about community giveback. The FSF [gnu.org] seems to agree.

The FSF says nothing about the GPL and community giveback. It says only that the GPL exists to give users freedoms to use and modify software. Indeed, "The freedom to use a program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job, and without being required to communicate subsequently with the developer or any other specific entity." (emphasis mine)

Re:GPL Kool-aid (0)

Anonymous Coward | more than 8 years ago | (#13734511)

The take, take, take thing is what IBM were doing with OpenOffice which is exactly why Sun dropped the SISSL license. Oh, am I allow say that IBM steal?

Re:GPL Kool-aid (1)

Arandir (19206) | more than 8 years ago | (#13734214)

I don't understand why they can't go the Aladdin route, and GPL their old versions while keep the new cutting edge stuff proprietary.

Re:GPL Kool-aid (1)

exi1ed0ne (647852) | more than 8 years ago | (#13734241)

They are. Nessus 2.X will remain under the GPL.

Re:GPL Kool-aid (1)

Cheapy (809643) | more than 8 years ago | (#13734253)

"Free as in beer is cool and all that, but if one excuse for dumping GPL is that they aren't getting any benefits in the way of free code, I guess they weren't really drinking the Kool-aid in the first place, eh?"

Or maybe they simply took the advice of Slashdot, the advice that is often said whenver a company sees no use in releasing their software under the GPL or a similiar license, that if you release it, people will help add to it. It being open source doesn't mean people will help update it.

Obviously, this was not the case with this company, and if their competiters were just taking the code and using that, they would be losing far more than they were gaining by releasing the source code as well.

Re:GPL Kool-aid (1)

chronicon (625367) | more than 8 years ago | (#13734448)

Loophole? That is such a funny choice of words for rationalizing the switch away from the GPL. Tell me they didn't know when they released the initial versions of their code under the GPL that other folks could and would "repackage" it (I suppose that means, in one case, including it with any number of distros).

This is no "loophole", this is the GPL. Free as in speech, free as in beer, free...

Whining about it years later because you're not getting rich off it doesn't really seem like an honest answer to the question, why close the source, does it?

As long as everyone who contributed to the code over the years is cool with changing the license to closed-source then go for it--but don't play it off like it's the community's fault that your company isn't listed in the Fortune 500. Right?

MySQL maintains a dual-licensed scheme and it seems to work fine for them. Dansguardian does something similar. What's the problem here?

Domain name spoofing alert! (-1)

Anonymous Coward | more than 8 years ago | (#13734143)

The story actually comes from com.com pretending to be news.com.

Re:Domain name spoofing alert! (1)

uid0mako (683312) | more than 8 years ago | (#13734310)

com.com is registered to CNET networks. Same as news.com.....

Re:Domain name spoofing alert! (0)

daniel_mcl (77919) | more than 8 years ago | (#13734321)

A quick whois confirms that news.com and com.com are both owned by C|NET. Nothing to see here, folks.

Re:Domain name spoofing alert! (1)

sqlrob (173498) | more than 8 years ago | (#13734325)

That's pretending like slashdot.com is pretending to be slashdot.org.

Re:Domain name spoofing alert! (0)

Anonymous Coward | more than 8 years ago | (#13734508)

Or like goat.cx pretending to be goatse.cx

That Should Be (1, Funny)

TubeSteak (669689) | more than 8 years ago | (#13734144)

That should be the GNU/OSS community
/End Joke

time to spoon! (2, Funny)

Anonymous Coward | more than 8 years ago | (#13734145)

No, fork.

Maybe we can see... (1)

Zebra_X (13249) | more than 8 years ago | (#13734156)

How well an OSS product fares as a closed source product. Bets are on: better or worse a year from now?

Definitely worse (1)

codergeek42 (792304) | more than 8 years ago | (#13734258)

1. They get no more free code, since people can't hack on it and improve it for themselves. 2. It's less secure (possibly), as less people have access to the source code to patch/fix it as bugs and holes occur.

Re:Definitely worse (2, Informative)

negative3 (836451) | more than 8 years ago | (#13734394)

I'm not trying to start an argument, but from TFA: "The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license. 'Virtually nobody has ever contributed anything to improve the scanning engine over the last six years,' he wrote, noting that there had been minor exceptions."

1. They get no more free code, since people can't hack on it and improve it for themselves. It appears that this has been the case for the last 6 years. Maybe the switch away from the GPL would cause people who only improve it for themselves to say "Hey, I'll participate if you let me back in!" If the people who actually do play with the source code keep the modifications to themselves, then the company might see little to no change in a year because they apparently weren't benefiting much from being open source anyway.

Re:Maybe worse (1)

shmlco (594907) | more than 8 years ago | (#13734444)

OTOH, according to them, they're getting none of those benefits now.

In a sense, many of the potential benefits of open source are just that, "potential" benefits. People say that the code is more secure if more people look at it, and better if improved and patched... but that assumes that other people do look at it, do make improvements, do fix bugs, and do return those improvements.

But the fact remains there are a lot of open source projects and a finite number of people with the time and the ability to perform those actions...

Re:Maybe we can see... (1)

exi1ed0ne (647852) | more than 8 years ago | (#13734284)

I can't see how distributing binary only will help themm, as opposed to a non-business use only license change. It'll be very interesting to see where this goes from here.

Better (1)

sterno (16320) | more than 8 years ago | (#13734445)

They weren't getting any notable contributions from the community so they don't lose anything there. On the other hand, if they can eliminate their competition they can make more money, hire more developers, etc.

No money to be made out of free software (0)

Anonymous Coward | more than 8 years ago | (#13734160)

News at 11!

hmm (1, Interesting)

epiphani (254981) | more than 8 years ago | (#13734173)

They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.

So.. are they ripping everything else out, or are they rewriting from scratch?

And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.

Re:hmm (5, Informative)

Nichotin (794369) | more than 8 years ago | (#13734227)

People haven't contributed anything special to the scanning engine. They would have to strip that out, but as already mentioned, it was no biggie. They hold the rest of the copyright, and are legally allowed to change the licence, but they cannot restrict any usage of previously released source code.

Re:hmm (1)

mewsenews (251487) | more than 8 years ago | (#13734251)

one part of their argument is that they've received negligible code contributions, so ripping out third-party code doesn't seem like it will be a problem for them.

Re:hmm (4, Insightful)

jsight (8987) | more than 8 years ago | (#13734252)

I think the presumption is that one of the following is taking place:


  •    
  • There were no external contributers - Nothing needs to be done... just release the new version under the new license.

  •    
  • There were external contributers, who signed over copyrights - If all external contributers signed their copyrights over to Nessus (as is the policy for contributors to some products), then they would already own all copyrights.

  •    
  • There were significant contributions by external contributors, who did not sign over copyrights - They would have substantial rewriting to do.


From their indication that they haven't seen any significant help in six years, we can presume that the third possibility is unlikely.

And, of course, old versions will still remain under the GPL (happily).

Re:hmm (4, Insightful)

Vellmont (569020) | more than 8 years ago | (#13734265)


They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.

That's actually not true at all. They still own the code, the GPL is a license, not relinquishing ownership. What they can't do is use any code contributed by anyone outside the company. That code they'll have to re-write since it's licensed under the GPL and doesn't belong to them.

And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.

They can't relinquish the license of course. Anyone that wants to take that code and maintain it themselves is obviously free to do so.

Re:hmm (1)

epiphani (254981) | more than 8 years ago | (#13734369)

That's actually not true at all. They still own the code, the GPL is a license, not relinquishing ownership. What they can't do is use any code contributed by anyone outside the company. That code they'll have to re-write since it's licensed under the GPL and doesn't belong to them.

hum.. isnt that exactly what i just said? "remove any code from parties that havent agreed to the new license"..

Maybe i'm just sour for getting modded flamebait and im missing something, but i would swear that was almost exactly what i said.

Re:hmm (1)

nanop (155318) | more than 8 years ago | (#13734266)

As long as they have the permission of all of the copyright holders, they are free to license future versions under whatever terms they choose. As they claim to have received little help from the OSS community, perhaps it won't be hard for them to gather the required rights.

As for the last GPL'd version, it has to remain GPL'd, but could be dual-licensed with the same permission requirements.

Re:hmm (1)

Saeed al-Sahaf (665390) | more than 8 years ago | (#13734271)

What is stopping them from re-writing it in form but not function? The GPL is a copyright, they could make very quick work of reformatting the code, yes?

Re:hmm (2, Insightful)

DaHat (247651) | more than 8 years ago | (#13734301)

The GPL is a copyright

No, the GPL is a license with which a copyright owner can enforce their copyright on said code.

Reformatting doesn't help... (1)

Svartalf (2997) | more than 8 years ago | (#13734318)

Already a raftload of precedents in the Courts that show that this is the case. Reformatting the source code doesn't change the literary work in a sufficient way to count as a seperate work.

I imagine (1)

Lifewish (724999) | more than 8 years ago | (#13734273)

that they've done the QT thing and made sure they have copyright to their entire codebase (not hard if, as they claim, the FOSS community hasn't been contributing much). Then they can take their codebase, add to it and rerelease under a closed license. You're right that they can't do anything about the stuff that's already in the open tho.

This is only a dodgy strategy if anyone *has* been contributing, and didn't turn their copyrights over to TNS. Anyone gonna put their hand up here?

Re:hmm (1)

pmike_bauer (763028) | more than 8 years ago | (#13734281)

If Nessus, as they pointed out, has recieved little or no outside contributions, then they still maintain the copyright to their code. They can do with it as they choose. If they wish to release new versions of their software sans GPL, then that is their choice. Neither you nor I could do that since we don't own the copyright.

Re:hmm (4, Informative)

Jeff DeMaagd (2015) | more than 8 years ago | (#13734285)

I think you misunderstand. It is their program. The owner of the program can have multiple licences. The GPL gives non-owners specific rights and specific requirements, none of those licences necessarily have the same effect on the owner as it does the user.

While they can't "take back" the versions that are already out there, but the copyright owners themselves can make a variation and not release the source of the variation.

Re:hmm (1)

delire (809063) | more than 8 years ago | (#13734286)

Unless they rewrite the app from scratch,..
How would we know otherwise?

Re:hmm (1)

dtfinch (661405) | more than 8 years ago | (#13734289)

Sure they can. They own the copyright to at least the portions they developed. They can't prevent you from forking the GPL'd releases, but they can do with it as they please. As for code contributed from other authors, all they have to do is remove it or get permission. Some GPL project maintainers even require copyright assignment to accept patches from the community, giving them the ability to relicense the whole thing as they please without asking any other contributors.

Re:hmm (1)

larry bagina (561269) | more than 8 years ago | (#13734312)

Sourceforge didn't have any problem converting to GPL to closed source. It's impractical for Linux, since there are many contributors, and none of them assigned their copyright (official GNU projects require contributors to sign a release). If you read the story description at the top of the page, you'd see that they had very few outside contributions.

Yes they can (2, Informative)

sterno (16320) | more than 8 years ago | (#13734326)

Keep in mind that the GPL is assigning a license, not the copyright itself. The original copyright owner on any copyright code can assign a new license to the code at any time. So long as all code that was contributed has had it's copyright assigned to them, they can do what they want. Otherwise they'd either have to obtain copyrights to that code now or gut that code from the product.

Its (0, Offtopic)

Radak (126696) | more than 8 years ago | (#13734176)

"The problem appears to be that Tenable Network Security... isn't making money because it's competition is simply repackaging their product."

It's means "it is." Possessive pronouns in English do not have apostrophes (with the unfortunate exception of one's). You meant to say its.

See Wikipedia [wikipedia.org] .

Re:Its (1)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#13734298)

You meant to say its.

Surely you mean that he meant to type "its."

There is a point at which this sort of nit-picking is useless. If you understand what the originally writer was trying to express, then they have succeeded. I don't think most people care to have minor spelling/grammar errors pointed out (unless they are funny). Feel free to point out any errors I make though, as I am trying to develop better habits.

Re:Its (1)

Radak (126696) | more than 8 years ago | (#13734382)

Feel free to point out any errors I make though, as I am trying to develop better habits.

Since you asked...

If you understand what the originally writer was trying to express, then they have succeeded.

If we're being pedantic, which I've obviously established I can be, "they" is a third person plural pronoun, and you've attached it to a singular subject, "the writer."

Unfortunately, English lacks an appropriate neuter pronoun, and so in the name of political correctness, this misuse of the plural pronoun has come into common usage to avoid the non-PC (but technically correct) "his" (which is technically the neuter pronoun in English) or the more unwieldy "his or her."

Sorry. My mommy was an English teacher. I can't help it.

Re:Its (1)

Radak (126696) | more than 8 years ago | (#13734418)

Christ. Is my face red? I said "his" and "his or her" when I meant to say "he" and "he or she." I've switched possessive on myself. Mea culpa.

Re:Its (0)

Anonymous Coward | more than 8 years ago | (#13734420)

You meant to say its.

Surely you mean that he meant to type "its."

Surely you mean that he meant to type its?

Re:Its (headline article to diff standards) (1)

Maxo-Texas (864189) | more than 8 years ago | (#13734465)

I would hold a headline or article to different standards than I hold a casual poster to.

---

I think "to say" is okay grammar in this context. Message boards are similar to talking as much as they are to typing. In any case, it would probably be "to write" instead of "to type" tho I lack the grammatical sophistication to tell you why.

Since you asked...
You typed:
If you understand what the originally writer
Which would be
If you understand what the original writer (no ly)

You probably don't need "have". Succeeded is past tense anyway.

then they have succeeded. (then they succeeded).

Could probably argue that you would "develop better writing habits" instead of just "better habits" (what kind of habits?).

Oh... and 2 spaces after periods (... funny). Feel free...)

It is a lot easier to read text with 2 spaces. Using one space makes the writing run together. It all seems like the same sentence. The extra space makes the text easier to read. So I always use two spaces except in this paragraph.

---

The most annoying problems out there for me right now are...
LOOSE used instead of LOSE. (I win! You loose!)
ROUGE used instead of ROGUE. (He was quite a rouge, stealing!)
TO instead of TOO. (It was to much. He went to far.)
Not using paragraphs (I usually just skip these rather than try to parse out what they are saying).

---
I agree with your basic point that grammar comments are usually unproductive and even unreasonable. I wouldn't have commented on your post but for that what you asked (hehehe).

Re:Its (0)

Anonymous Coward | more than 8 years ago | (#13734510)

>> You meant to say its.

> Surely you mean that he meant to type "its."

> Feel free to point out any errors I make though,
> as I am trying to develop better habits.

OK... You must have meant that he meant that the original poster meant to type "its". Since the "its" in question doesn't end the sentence, it's not followed by a ".".

"It is a damn poor mind indeed which can't think of at least two ways to spell any word." -- Andrew Jackson

And stop calling me "Shirley".

Proper English (1)

totallygeek (263191) | more than 8 years ago | (#13734437)

It's means "it is."


Whom....cares?!?!

Re:Its (1)

MightyYar (622222) | more than 8 years ago | (#13734486)

Thanx, cheif.

Competitors (4, Funny)

SpaceAdmiral (869318) | more than 8 years ago | (#13734181)

If their competitors were just repackaging their software, they should have put some massive bugs in it.

Re:Competitors (1)

caseydk (203763) | more than 8 years ago | (#13734399)


Maybe there are... and they're going to fix them for v3 and share all the details of the v2 bugs.

And all those companies would be scrambling since they didn't write it in the first place and therefore probably have little understanding of the underlying code.

Doesn't seem right (1)

Eugene Webby (891781) | more than 8 years ago | (#13734183)

OK, change your license so your competitors can't repackge yours stuff and publish the source anyway. Nah, they just blame the GPL instead of saying "we don't want to show our source anymore".

nessus is dead, long live gnessus? (5, Interesting)

nanop (155318) | more than 8 years ago | (#13734192)

So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".

Re:nessus is dead, long live gnessus? (1)

mysqlrocks (783488) | more than 8 years ago | (#13734288)

He raised the possibility that the community could "fork" version 2 of the software--that is, start developing a divergent version of Nessus from the one officially supported by Tenable.

It would be interesting if this happens. It would certainly make the developers statement in need of a second look (the statement above was not the developers statement):
The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.

So, if it does fork and the open source fork gets a lot of development that would mean of two things. Either the developer is understating the community involvement or he wasn't that good at drumming up interest in community involvement.

Re:nessus is dead, long live gnessus? (1, Flamebait)

Deven (13090) | more than 8 years ago | (#13734414)

Either the developer is understating the community involvement or he wasn't that good at drumming up interest in community involvement.

Or maybe the community couldn't give a damn about helping until it's an underdog project competing against an evil proprietary product? Some people are more motivated by zealotry than improving the world...

Re:nessus is dead, long live gnessus? (3, Funny)

dekemoose (699264) | more than 8 years ago | (#13734307)

So a project which was getting very little contribution from the OSS community is going to be forked into a different project that will get all sorts of support from the OSS community? Good luck with that.

Re:nessus is dead, long live gnessus? (4, Interesting)

robla (4860) | more than 8 years ago | (#13734514)

> So a project which was getting very little contribution from the OSS community is going to be forked into a different project that will get all sorts of support from the OSS community?

Yup. Funny how that works. It happened that way with SourceForge/GForge. It sorta happened with NCSA httpd -> Apache. Probably a handful of other examples out there.

It'll probably evolve from the needs of the Debian package maintainer needing an "upstream" [debian.org] for security patches, etc. Or maybe Gentoo, Fedora, etc. You get the idea. I use Debian as an example because of they'll need something that continues to satisfy the DFSG [debian.org] . Thus, if Nessus is still going to remain, it'll eventually need to be updated.

So what's left?? (5, Interesting)

eno2001 (527078) | more than 8 years ago | (#13734203)

SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.

Re:So what's left?? (3, Informative)

Kelson (129150) | more than 8 years ago | (#13734305)

SARA [www-arc.com] (Security Auditor's Research Assistant) is based on the old SATAN design.

Moral of this Story and Nmap Response (5, Informative)

fv (95460) | more than 8 years ago | (#13734504)

I responded [seclists.org] for the Nmap Security Scanner [insecure.org] project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.

I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest [seclists.org] a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.

Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.

-Fyodor [insecure.org]

thus exploiting a loophole in the GPL. (4, Insightful)

temojen (678985) | more than 8 years ago | (#13734210)

Or rather, using the GPL as it was intended, to prevent vendor lock-in.

Fork (0)

Anonymous Coward | more than 8 years ago | (#13734218)

So... who will be setting up a fork?

Fork? (3, Interesting)

bcmm (768152) | more than 8 years ago | (#13734223)

This sort of thing almost always results in someone making a fork. Is there really so little OSS involvement that a GPL fork (from the most recent GPL version) would not be able to compete with the closed app?

Well, this has been coming for some time... (5, Interesting)

cowbutt (21077) | more than 8 years ago | (#13734225)

As someone who encouraged a former employer to pay for a Nessus support contract when it voluntary, someone who personally contributed a minor enhancement to the engine, and as someone who actually used Nessus professionally (i.e. manually verifying the results it gave, rather than selling the reports as-is to customers), I've been pretty disgusted by the way competitors have abused Renaud's generosity.

Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.

Hardly a "loophole" (4, Informative)

spitzak (4019) | more than 8 years ago | (#13734233)

The "loophole" is an intended result of the GPL. Since this is it's purpose it makes no sense to call it a "loophole" whether you like or dislike the GPL.

In any case, they are perfectly free to do this. They are also free to release the source code in a way that does not have this "loophole", such as by using normal copyright. Equating "being able to see the source" with "GPL" is a bit of FUD.

Re:Hardly a "loophole" (1)

HardCase (14757) | more than 8 years ago | (#13734388)

Equating "being able to see the source" with "GPL" is a bit of FUD.

Not at all - the GPL requires that they provide the source to anyone who purchases the software. It's one of the key components of the GPL.

Other than improvements to the software, I assume that the other key benefit to making the source code available is for many eyes to see it to provide security and functional updates. But if all that's happening to the source is that competitors are taking it and repackaging it under another name and nobody is actually updating the software (other than the licensor), then why release it under the GPL? I'm as utopian-minded as the next guy - I'd like to see everyone benefit from software, but it seems that in this case everyone except the licensor is benefiting. That doesn't seem so right.

-h-

Perhaps "Unintended consequence" (1)

sterno (16320) | more than 8 years ago | (#13734393)

It's not a loophole, but it's quite clear that it's not what they thought they were getting into. Ultimately the benefit of the GPL to a business is being able to share the development cost. IBM is only paying for a portion of Linux as is RedHat, etc. Thus their ultimate cost is lower for the product they deliver.

It's clear here that there's no sharing of the work here. They do all the work and get little benefit. What's interesting about this though is what happens to the previous Nessus release. You've got these companies out there that are using it, so they have a vested interest in maintaining their release. So, they may end up developing the community around the previous release that Nessus proper never managed to do.

Fair enough (4, Informative)

overshoot (39700) | more than 8 years ago | (#13734237)

A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL.

That's not a loophole, that's how it's supposed to work.

He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL.

His code, his rules. As long as he's not including code that others contributed under the GPL, that is.

The question is, has he either cleared the code, acquired copyright, or licensed it from the authors?

My $0.02 (0)

Anonymous Coward | more than 8 years ago | (#13734240)

Been today the same day that Snort, a very succesful open source company, has been adquired by CheckPoint- i think Nessus announcement has more to do with Teneable Security business plan and commercial skills rather than with the viability of open source software as bussines in general.

Why open source everything? (0)

Anonymous Coward | more than 8 years ago | (#13734250)

It's not the source code being closed that is the main problem with software, it's the data formats (which doesn't apply here). Programs are just the file editors and/or viewers of data. Going from open source to closed source with a free binary release instead is just as good in this case.

Re:Why open source everything? (1)

nanop (155318) | more than 8 years ago | (#13734352)

Open file formats and open source code are two different things, but both are important.

Open file formats provide a common language that can be read by anyone who wishes to use (or write an app to use) it.

Open source code provides for functionality to be portable across systems instead of needing to be created from scratch. If the authors choose not to support OS X or BSD, someone else can step in a port the app. While the curent OS support may be decent now, things can always change.

Won't GPL3 fix this? (1)

Afecks (899057) | more than 8 years ago | (#13734256)

I seem to remember seeing a /. post about some OSS projects getting screwed because companies are using/modifying the code but not releasing it, only using it for services. To that end I also heard that GPL3 plans to fix this? Maybe someone can post actual links to the relevant posts.

Re:Won't GPL3 fix this? (1)

xgamer04 (248962) | more than 8 years ago | (#13734476)

I also heard that GPL3 plans to fix this?

Are you questioning whether or not you heard this? Anyway, version 3 of the GPL is still in the drafting/comment period, with people suggesting new 'features' and such.

Maybe someone can post actual links to the relevant posts.

Maybe that someone should've been you, seeing as how you're so keen on it.

Exploting a loophole? (0)

Anonymous Coward | more than 8 years ago | (#13734275)

It seems to me they wanted the attention and publicity 'open source' brings without the consequences that the GPL clearly spells out.

Exploting a loophole? Give me a break, it's there for a reason. For which, obviously, these people havn't a clue!

 

You do not get Open Source. (5, Interesting)

RevDigger (4288) | more than 8 years ago | (#13734278)

This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.

Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.

        - H

Re:You do not get Open Source. (2, Insightful)

PatrickThomson (712694) | more than 8 years ago | (#13734345)

You're missing the point. They are annoyed at the loophole in the GPL that allows other companies to use/modify the source code, AND profit from doing so, without releasing the changes. At all.

Selling or Renting Appliances? (2, Insightful)

Svartalf (2997) | more than 8 years ago | (#13734291)

Considering that in EACH of those cases, the software IS distributed, they could have went after the offenders. Perhaps they can't afford lawyers to do so- I DID mention in numerous threads before that Copyright, etc. is only as good as the legal effort you can muster to defend your IP rights.

I don't buy this as a reason, mind- because the people in question are still infringing and making it free as in beer won't change the situation any more than it is now. You have to go after them for their infringements- licenses don't change this. If it were the case, MS (or any other BSA members, for that matter) wouldn't be so worried about piracy of their products...

They haven't learnt the lesson (2, Insightful)

Nikademus (631739) | more than 8 years ago | (#13734295)

What did happen to xfree86 project when they changed thier licensing?
Well, I just assume the same will happen with nessus, except if there is no interest in nessus when there was on an X server.

que triste (1)

GojiraDeMonstah (588432) | more than 8 years ago | (#13734296)

Sad for them, and sad for the FOSS community. As it is no doubt only a matter of time until they become poster children for Bill Gates assertion that FOSS is communism [weblogsinc.com] and does't work.

Sad day (2, Interesting)

Cally (10873) | more than 8 years ago | (#13734297)

Dang, I just submitted this. Ah well, perhaps I'll get a dupe... it'll take a few hours to get to the top of the submissions stack, perhaps Taco will be posting by then ;)

Anyway, speaking as a long-term user of Nessus, I have had direct personal benefit from it being Free; it enabled me to get familiar with it on my home network which (along with snort, nmap, ipf, tcpdump and a load of other Free stuff) enabled me to move into network security five years ago. Of course, it's Renaud's code and it's his right to release it under whatever licence he wants; but it's a shame. Let's hope someone's prepared to fork the GPL'd v2 codebase and start adding the improvements it needs.

Of course, I'm assuming that all the plug-in authors are happy with this. When Tenable released a closed-source Windows port (NEWT) I queried the position on a mailing list somewhere, I forget the outcome but it seemed odd to me. It seems really unlikely that Tenable would do this without the plug-in authors' agreement,.. anyone got info on that?

With my 'Free s/w zealot' hat on, I have to say that it'll be interesting to see how the community responds to this. In my copy of the FSZH (FS Zealot's Handbook... version 2 or later :) it says that a benefit of GPL licensing is that the community can pick up and continue with the remaining GPL'd source. Are there any coders out there interested and motivated enough to pick up the GPL'd project? It'll be interesting to see. Fingers crossed....

Re:Sad day (0)

Anonymous Coward | more than 8 years ago | (#13734361)

You're making no distinction between the nasl scripts and the nessus engine. The nasl scripts will continue to remain open source from what I understand. It's the Nessus engine itself that's becoming closed source.

Furthermore, I'm really looking forward to the backend not being tied to the GUI as I have thought for some time that the right way to have a gui would be to create a web service of some type.

Maybe an OSS future isn't that bright afterall (4, Interesting)

ShatteredDream (636520) | more than 8 years ago | (#13734323)

Open source software has worked pretty well in areas that provide services such as operating systems, development tools and server software because in those areas the people who need them also need support and have a vested interest that they are aware of in supporting the tools they use. I don't think that desktop software which is typically sold, however, works well in that respect. Most users have no reason to believe that they have a vested interest in supporting OpenOffice and I would bet that if Sun dropped their support the project would implode.

Let's be serious about this. The GPL provides **no** protection to companies whose business model is built on selling software that doesn't need support contracts or anything like that. If selling software is your business, then the GPL is basically a suicide pact for your company and the same applies to all other open source licenses because your competition can repackage your millions and billions of R&D dollars/Euros/Yet/etc. and you get... precisely what?

It's funny how much having a girlfriend that you are working toward marrying and realizing that your idealism cannot feed your children will change your perspective on open source software. I like Linux, love Tomcat and am eager to give PostgreSQL a shot and I run my own nightly builds of Firefox, Thunderbird and Sunbird on my Windows laptop, so I am definitely not some fanboy for either side. So let me just say this to most of the zealots: OSS is never going to win in the long run because developers have families to support and will not slit the throat of the goose that lays the golden eggs (though sometimes they seem a little bit like bronze) that pay the bills and support one's spouse and children.

Get to that point and you'll realize that Microsoft is good because they create work for you. Same thing with Oracle, Sun, IBM, etc. Infrastructure can and in some areas should be open. However, no one is going to make money on open sourcing things like Quicken or TurboTax and other common user apps unless they are utterly useless without some expensive services provided by the company that makes them. How else are they going to make money, eh? We ought to eliminate software patents and EULAs, those are things the OSS movement is right about. However, the OSS movement if successful (and I doubt it will be in the long run) will end up making it very hard to make money in software development and maintanence. Good for this company that they realized that before it was too late. I'm glad that they chose to protect their employees and stockholders instead of pursuing Stallman's dream of a world in which software developers effectively cannot make a living directly off their code.

Re:Maybe an OSS future isn't that bright afterall (1)

SkipRosebaugh (50138) | more than 8 years ago | (#13734481)

I recently heard a statistic that the majority of programming jobs are for code that will only ever be used internally to the company. General Mills, Hormel, etc. - All sorts of big companies have internal programming teams. For these people, OSS isn't so much detrimental as irrelevant.

If they drop the GPL... (1)

mark-t (151149) | more than 8 years ago | (#13734335)

Then by the terms of the GPL, they no longer have any permission from the copyright holder to copy the software at all, except for purposes commensurate with what is allowed by "fair use copying". It does not seem to me that fair use would qualify in this case.

Such copying of copyrighted works without permission is copyright infringement, and is, I'm afraid, quite against the law. The copyright holders can press charges for infringement at their leisure, and could probably win (since there is now documented proof that they have been copying the works without any permission).

Re:If they drop the GPL... (1)

SilentOne (197494) | more than 8 years ago | (#13734464)

That is of course assuming that any of the code is owned by someone outside of the company. Since, according to their press release, they have had almost no help from the community, there is no copyright holder outside of their company.

So they, the copyright holder, can do whatever they like with their code.

From their perspective? (5, Insightful)

ivoras (455934) | more than 8 years ago | (#13734368)

Why isn't anybody looking at it from *their* perspective: A small, young-ish company tried to make a great product but failed to remain financially viable with the GPL license. Free-as-in-speech code is all well and great but at the end of the day, philosophy doesn't pay the bills.

Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)

Considering that... (2, Interesting)

Svartalf (2997) | more than 8 years ago | (#13734458)

They have a batch of closed-source product offerings like NeWT (Closed, for NT/XP only...), NeVO, etc. that are priced at rather HIGH pricings so that people just simply can't afford the damn stuff unless they're as big as someone like IBM, TI, etc., it's no small wonder that they're hurting financially.

Sentiments aside, they look to be a small player that priced themselves out of the overall market, hoping to score support contracts for an Open Source project that was to showcase their abilities and hoping to sell at least a handful of this other stuff at an unrealistic $9-10k per instance. The closest thing that competes in price is only $4k and there's other solutions that ARE cheaper.

The reality is that Nessus will probably be forked, Tenable will keep sliding into the hole not because of the GPL but because of their own pricing themselves out of the market, and life will probably just go on all the same.

Fork (1)

r2q2 (50527) | more than 8 years ago | (#13734424)

How long until a fork of the currently released nessus source code becomes available? Closing it's source is absolutly ludacrist when a deriviative project could easily become available.

GPL Removal issues (1)

LiquidCoooled (634315) | more than 8 years ago | (#13734432)

What happens to the (albeit minor sounding) modifications which have been offered by the OSS community.
I realise the blurb says the competitors keep on taking, but if even 1 line of code has been added by someone else, then he needs their permission before he can close the source off surely?

The alternative is to remove the offending lines of code, but his actions seem akin to taking the Linux Kernel and making it closed source without a care for the copyright holders.
The modifications were given to a GPL project under the assumption it would stay as GPL.

Additionally, any GPL code which he has used to build up his application (thinking "its GPL, so I can borrow GPL bits") also needs to follow the same rules.

His comments make it sound minor, but it might be a major sticking point especially if the code isn't audited correctly.

"Virtually nobody has ever contributed anything to improve the scanning engine over the last six years," he wrote, noting that there had been minor exceptions.

He cannot just close it up without a major hunt through the code.

Best of both worlds (1)

supra (888583) | more than 8 years ago | (#13734470)

If the GPL is hurting you because of commercial competitors, why now offer a dual license?
MySQL and Qt are doing it well. Quid Pro Quo (something for something).

Your code is GPL for GPL users, and it's commercial for commercial users.
So if your usage/derivative is GPL, then you can use the code free.
If your product is commercial, then you must license the code.

It keeps you viable to the OSS community and may help the bank at the same time.

They can't "close the source" (2, Interesting)

FishCalledOscar (691194) | more than 8 years ago | (#13734479)

They gave it away already. They can create a proprietary branch, but taking something out of the public domain requires large bribes to congress. It amazes me that folks still use the GPL. I attribute it to mental laziness and hokey religeons (w/ ancient weapons).

Perl's Artistic License [perl.org] and the Apache License [apache.org] are better licenses.

BTW - I am a lawyer and this is personal opinion, NOT a legal opinion.

BIGGEST MISTAKE (1)

Spy der Mann (805235) | more than 8 years ago | (#13734494)

Using GPL and still wanting to sell "a product". GPL goes well with the service / customization / maintenance business model.

The only guys who were able to do business with a GPL product were MySQL AB. And this because they released it dual-licensed.

They can do it, but forks inevitable (3, Informative)

Random BedHead Ed (602081) | more than 8 years ago | (#13734516)

Contrary to a number of comments I'm already reading, Tenable Network Security can do this, as long as they control the copyright to the entire body of work. This would be impossible for some GPL-licensed software for which the copyrights to separate contributions are owned by their contributors. If I am not mistaken, I think Linux falls into this category, so Linux could not be taken out of the GPL unless everyone who holds copyrights over the many parts of the source code all agree on the new license. Won't happen.

For software that is copyrighted by a single entity, be it an individual or a company, the license can easily be changed. However, anyone who obtained the software under the terms of the previous license cannot have the rights that were granted revoked. This means if you downloaded the software and source at any time before the license change, congratulations. You have the GPL'd project in a relatively recent state, and the GPL applies.

This presents an opportunity to fork a GPL version. If enough people are interested, the fork can eclipse the original project, as X.org did to XFree86 when the latter changed its license.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>