This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Open Source

Nessus 3.0 to abandon GPL licensing

By NewsForge Staff on October 06, 2005 (8:00:00 AM)

Share    Print    Comments   

Nessus -- once billed as "the open-source vulnerability scanner" -- is changing its ways as of the 3.0 release, which is expected shortly. According to a recent post on the Nessus Announcements mailing list "Nessus 3 will be available free of charge, including on the Windows platform, but will not be released under the GPL." On its Web site, Nessus now just bills itself as "the network vulnerability scanner."

NewsForge spoke this afternoon with Ron Gula, CTO and co-founder of Tenable Network Security, which sponsors the Nessus project, and Renaud Deraison, founder of the Nessus vulnerability scanner project and co-founder of Tenable Network Security, about the reasons for the change.

The story broke yesterday with a post by Deraison on the Nessus Announcement mailing list, which immediately drew questions and comments on the Nessus discussion list and elsewhere.

In response to the question, "Have you obtained permission from all copyright holders of patches to relicense their intellectual property?" on the Nessus discussion list yesterday, Deraison simply said said, "Yes."

When we spoke with Gula and Deraison today, we asked the official reason for making what is sure to be a controversial licensing change. Gula said:

Like you said, it's a hot-button issue. There's a lot of different people out there with a lot of different views on it. My biggest thing that I want to do is increase the user base, and frankly, the real story is not that we are moving away from the GPL, I think the real story is we are giving away a lot more value, in terms of -- for example -- the Windows scanners which are very, very popular, and also moving Nessus into a place that it's more easily used in corporate America. We have a lot of people out there in large organizations who cannot use open source software in their organization.

When we asked Deraison to expand on the theme of open source not working for the Nessus project, he said:

In that case, yes, in the sense that in the end, the people that committed anything to the engine, to improve it, were like two of us. So if there is no community, and no one touches the code, and then on the other side (there are people) who cannot use Nessus because it is open source, they can't use it on the network, then we decided it would be better to close it.

Finally, we asked what form the new licensing would take. Gula told us, "There are really two aspects to the license. The first part of the license is for the actual daemon, the actual code that people use. Basically that daemon is a free tool, that you can use if you're an end user." Renaud then noted, "Free as in free beer." Gula continued:

So one of the things Tenable does, and this is one of the things that makes Nessus really popular, last year we didn't actually change anything on the Nessus code, that's the daemon, that was still GPL'd, but we made a change to the license. We basically said that the license for the plugin was separate from Nessus, and that these were updated.

And there was basically a seven-day delay for free, which was available to the world. But if people wanted the latest and greatest vulnerability checks, they had to pay for it. So, I can't really give you any names, but some of the largest managed security providers in the world, buy this from us because they in turn sell to governments and universities, you know, the latest vulnerability checks. These are for Microsoft, and for Linux, and for Mac. So there are really two parts to the Nessus license, what can I do with the actual program itself, and then what can I do with the content.

The way I say it, if you have Apache, just because I download Apache doesn't mean that I can use the Apache home page's content on my Web site.

Deraison claimed on the mailing list that the Nessus engine has had precious little community support in terms of patches and outside contributions, but some Nessus users were unconvinced of that being true for the entire project, with one writing:

I'm sure that has nothing to do with the fact that Tenable refuses to publish plugins developed under GPL when they have plans to develop them in house and can make money off a registered feed. How many people on this list have submitted plugins only to have them trumped by a registered feed plugin? You make a fair point about the improvement on the engine, but perhaps the open source community felt that their efforts were better placed at improving plugins. However, they may have taken a different point of view if they knew that that concentration would mean the loss of the O/S nature of the engine itself.

This assertion was countered by another Tenable employee, George A. Theall, who has written many plugins for Nessus, both as an employee and a contributor:

Before I worked for Tenable, I authored several dozen plugins for Nessus. I do recall one or two instances in which plugins were rejected, but each was because David Maciejak had submitted an alternate before me. David's plugins, btw, are GPL'd.

Mindful of this, since joining Tenable I've been encouraging third-party plugin contributors such as David and Josh Zlatin-Amishav to coordinate with us before writing a plugin by dropping a note of their intentions to plugins_at_nessus.org. I generally tend to respond to these. And while I might tell someone not to write a plugin, it's because either (1) someone else has already written it or has committed to writing it or (2) the benefit of having such plugin, as perceived by both Tenable and the third-party author, is small.

The move has not only raised the ire of many free software fans, it has drawn attention on other security-related lists. On the nmap-hackers mailing list, for example, Fyodor wrote this morning:

In the last Insecure.Org Security Tools survey, you guys proudly voted Nessus #1. It complements the functionality of Nmap by going further to detect application-level vulnerabilities. Then in February of this year, Tenable changed the Nessus license to further restrict the plugins and require that you fax them a permission request form before you use Nessus for any consulting engagements. Renaud wrote to this list on Feb 8 (http://seclists.org/lists/nmap-hackers/2005/Jan-Mar/0001.html), explaining that their new slogan ("the open-source vulnerability scanner") was accurate because the engine was still open source. Today, their slogan has changed to "the network vulnerability scanner," and you can probably guess what that means. In the announcement below, Renaud announces that Nessus 3 (due in a couple weeks) will be binary only and forbid redistribution. They say it will be free, for now, if you use the delayed plugin feed. They have also announced that Nessus 3 will be faster and contain various other improvements. They promise to maintain GPL Nessus 2 for a while, but I wouldn't count on that lasting long.

I am not taking a position on this move, but I do feel it is worth noting for the many Nessus users on this list. Tenable argues that this move is necessary to further improve Nessus and/or make more money. Perhaps so, but the Nmap Project has no plans to follow suit. Nmap has been GPL since its creation more than 8 years ago and I am happy with that license.

It is worth noting that the previous Nessus releases, which are licensed under the GPL, cannot be withdrawn. If the Nessus community feels strongly enough about the license change, it would be possible to maintain and extend previous releases.

Given the incendiary nature of discussions involving contrary views of software licensing, the Nessus move is bound to become an icon tossed back and forth between proponents of the proprietary and free/open source software camps for a long time. At the very least, it's fodder for rational discussions on whether free software licensing works for you.

Share    Print    Comments   

Comments

on Nessus 3.0 to abandon GPL licensing

Note: Comments are owned by the poster. We are not responsible for their content.

Only one possible reaction:

Posted by: Anonymous Coward on October 07, 2005 03:32 AM
A complete boycott of the non-GPLed versions.

Besides, it will be forked anyway...

#

Re:Only one possible reaction:

Posted by: Anonymous Coward on October 07, 2005 04:03 AM
Anyone have a link to the 3.0 version with the sources?

Please reply to parent, or here, if a fork project becomes available.

This kind of thing is the reason why I dislike using free software that does not have at least one other fork (7-zip is an example of this, Freenet too).

#

Only one possible reaction: Stay away from the GPL

Posted by: Anonymous Coward on October 07, 2005 06:26 AM
"A complete boycott of the non-GPLed versions."

Yeah! Along with everything else the community has done (or hasn't). Kick'em while they're down. Lesson one: stay away from the GPL community.

#

Re:Only one possible reaction: Stay away from the

Posted by: Anonymous Coward on October 07, 2005 07:01 AM
You actually expect the community to support those who abandon it?

Get real.

#

Re:Only one possible reaction: Stay away from the

Posted by: Synonymous on October 07, 2005 08:26 PM
"Yeah! Along with everything else the community has done (or hasn't). Kick'em while they're down. Lesson one: stay away from the GPL community. "

People and organizations who do not respect my freedom, or the freedom of others, do not get my money. Instead they get my boycott.

#

Re:Only one possible reaction: Stay away from the

Posted by: Anonymous Coward on October 07, 2005 09:50 PM
Kick'em while they're down. Lesson one: stay away from the GPL community.

As a matter of fact - yes! Kick'em and hope they never recover so as to set a good example for everyone else who wants to follow their path.

Lesson one: do not expect mercy from those you betray!

#

Re:Only one possible reaction: Stay away from the

Posted by: Anonymous Coward on October 08, 2005 02:53 AM
Uhh betray? how would this be different if they simple just stopped making the software? Oh.. I see, it doesn't because the previous GPL'd versions can be picked up by anyone and continue to be maintained and GPL'd.


  Oh.. I see you feel betrayed because of the fact that they felt they could not support themselves under the old model trumped your preciously held vision of how software should be free?

How about instead giving them props for what they've given to the community already.. They tried the OSS model and gave their software away for free.. it didn't work for them as a practical business model.. and now you want to spit on them... This says great things about the OSS community, let me tell you.

#

Re:Only one possible reaction: Stay away from the

Posted by: Anonymous Coward on October 08, 2005 03:46 AM
Peuhleeeeze! They used the GPL to make their product grow but, unlike so many others, they were unable to capitalize on the free work of others. Then, having dumped the GPL, they want their GPL-developed product to continue growing and expect sympathy from us?!

Lemme tell you this about the OSS community: we will simply fork the GPLed product and they will vanish into irrelevance. And guess what, the maintainers of the GPLed fork will do just fine, thank you.

#

Re:Only one possible reaction: Stay away from the

Posted by: Anonymous Coward on October 08, 2005 08:03 AM
.... we will simply fork the GPLed product<nobr> <wbr></nobr>... maintainers of the GPLed fork will do just fine, thank you...

Your zealotry blinds you so much that you apparently read enough of what I said to realize:
I SAID EXACTLY THAT!

The question I asked was how is this different than them just stopping development on the project all together..

Wait for it, I know this is gonna be hard for you to accept:
IT ISN'T!

Like I said originally you can still fork! But all this talk of boycotting is pointless..

There are many programs out there that gain popularity by simply being free (as in beer) and later switch to a paid only version because they can no longer support themselves on free. Do I spew venom on them and vow never to use their product(s) again?
No.. and as I see it, the whole fact that they decided to give you something to fork in the first gives you no room to complain.

I wonder why that if the community had contributed SO MUCH to the project, they were able to get permission from all the external submitters so easily to agree to the switch from GPL.

(Unless you are contending they are crooks and lying about that, please provide evidence if that is what you are suggesting..)

Again, zealotry like this does the OSS community no good but serves as a turn-off to potential new adopters of OSS. Very self-destructive, but you just keep on going if it makes you feel good.

#

Re:Only one possible reaction: Stay away from the

Posted by: Anonymous Coward on October 09, 2005 10:18 AM
"Lemme tell you this about the OSS community: we will simply fork the GPLed product and they will vanish into irrelevance. And guess what, the maintainers of the GPLed fork will do just fine, thank you."

Uh, huh. And lets just ignore the message THAT sends. Get in bed with Micro...er, the GPL community and they will sooner or lattor turn on you. So why should anyone join the F/OSS community again?

#

Re:Only one possible reaction:

Posted by: Anonymous Coward on October 09, 2005 11:24 AM
Here we have a stirling example of the kind of autocratic, fanatical moron that finally caused me to stop using Linux.

Linux technically is a fantastic system. Loved it from that point of view...but I got to the point where I could no longer stand RMS and his band of fanatics. You've become a group of anti-capitalist tyrants, guys. I'm not interested in that, and I suspect a lot of other people aren't as well.

Linux is going to start losing a lot of users to the BSDs if it isn't careful.

#

Re:Only one possible reaction:

Posted by: Anonymous Coward on October 09, 2005 08:45 PM
"You've become a group of anti-capitalist tyrants, guys. I'm not interested in that, and I suspect a lot of other people aren't as well."

Especially with the loss of jobs in the IT field. The downward pressure plus everything else basically makes software creation an undesirable field to go into. Plus the network nature of the economy means that the consequences aren't going to stay confined.

#

what a load of bull!

Posted by: Anonymous Coward on October 07, 2005 03:44 AM
So if there is no community, and no one touches the code, and then on the other side (there are people) who cannot use Nessus because it is open source, they can't use it on the network

There is no community?! Nmap does not have that problem. No code? Ever wondered why? You cannot use open source on a network?

This guy is clearly off his meds. LOL.

#

Sounds like a big non-open source customer is...

Posted by: Anonymous Coward on October 07, 2005 04:53 AM
Sounds like a big non-open source customer is... wanting them to maybe do this... in order for them to mass license the product?

Would Microsoft make this kind of offer? Quid Pro Quo<nobr> <wbr></nobr>... quickly? If there were a buyer in the wings that was proprietary only then that might be a monetary motive. No?

Otherwise, why risk the problem of a facing a fork etc?

#

Boycott them now!

Posted by: Anonymous Coward on October 07, 2005 07:42 AM
They are to blame for using GPL as a license. Had they used BSD, they wouldn't have had to spread such FUD about GPL.

I think we should boycott them - I don't know what nesssus does (haven't heard of them before today nor have I contributed any code) - but I will surely never buy anything from these guys.

#

Re:Boycott them now!

Posted by: Anonymous Coward on October 07, 2005 11:22 PM
What a brilliant comment.

#

Making a living

Posted by: Anonymous Coward on October 07, 2005 03:36 PM
I fully understand the need to make money, but this decision is flawed.

The GNU GPL allows you to make money, and the FSF encourges you to charge as much money as you can to foster development. The same goes for the GNU LGPL, which you can use if you need to integrate with proprietary software.

I'm guessing/speculating the Nessus people have been offered - or hope to be offered - a large amount of money to let Nessus become part of larger security suite by a proprietary company. The GNU LGPL should be able to help them achieve this. Perhaps Novell or IBM could step in, and convince the Nessus people to reconsider their options with a little money? All three would benefit from that.

At any rate, I think the Nessus people should be looking to other customers who are interested in a free (as in freedom) vulnerability scanner, rather than cave in at the sight of a pile of money. Unfortunately, I'm not very optimistic, as a number of developers over the years have demonstrated that what they really want to do is just code and get a pay check and not run a business that creates code. That requires the ability to find markets, to advertise and so on. None tech stuff, but to hard a science for many hackers.

#

Re:Making a living

Posted by: Anonymous Coward on October 08, 2005 12:42 PM

I'm guessing/speculating the Nessus people have been offered - or hope to be offered - a large amount of money


Yeah, I think you hit the nail on the head. I think it would have been better for them to say "With Nessus 3.0 we will have to charge a fee for download in order to keep the project viable - but we will keep the project GPLed". There is nothing wrong with charging a fee for free software. This would have been better than "free 3.0 *binary only* downloads will be available and BTW could all potential MS Windows testers please send us an email?".

It looks like the project principals have been overwhelmed by the lure of the lira. And the project principles have disappeared.

Time to start a better project.

#

Re:Making a living

Posted by: Anonymous Coward on October 10, 2005 10:38 AM
As soon as someone starts charging money for a GPL'ed project, it will get forked. There is no protection.

#

I can believe them...

Posted by: Anonymous Coward on October 08, 2005 01:35 AM
As much as I doubt the true motive, I need to say that I used to work for a company that would not allow open-source software. It sounds rediculous, I know, but true none the less. I admined a Novell network and had 2 Linux servers, one for archive data and one as an FTP site. The owners just knew what it did and didn't know or care that it was Linux. One day one of our MS zealots dropped the FUD to the owners about what was running in the server room, and they completely flipped, immediately ordering a switch to 100% MS servers. It sounds completely unbelievable, but true. My point is just that some easily influenced people buy in to the FUD and don't allow FOSS anywhere on the network.

#

awesome

Posted by: Anonymous Coward on October 08, 2005 01:54 AM
I would never have believed that this was possible. My thanks for having posted this and my sympathies for having to work with such morons.

Cheers!

#

Re:awesome

Posted by: Anonymous Coward on October 08, 2005 06:07 AM
I would never have believed that this was possible

Dude, good sales people, the kind that work for Microsoft and Cisco instigate such "forklift upgrades" all the time!

<SALESSPEAK> You see, by running a heterogeneous environment you greatly increase your TCO and exposure to risk. You have to have additional skillsets on staff as well as maintain those skillsets with training. Then of course there is the extra labor costs required to monitor and maintain the countless different systems.

All those different systems increase you business's exposure to risk by increasing the number of attack vectors. This not only increases your risk, as I said but, also significantly increases the hit on your bottom line even if you never have a breach. But, should you have such a breach, your business will be ruined.

This is all compounded by the nonstandard or unreliable security situation brought on by having such a diverse programming environment. Did you know that even you, who are not a programmer, can program on Linux? Surprising, isn't it? It's only the grace of God and a matter of time that you haven't be hacked already!

If you instead standardize on a homogeneous environment consisting $OUR-BIG-CORP systems you greatly reduce your TCO. You reduce your skillset requirements as well as your total technical staffing requirements. Security is increased due to a single systematic development environment where we strictly control who has access to the code. Your security is further improved due to our automatic update process that is scheduled on a monthly basis.

It all comes from a single source so you need only turn to that single source in the unlikely event that you need support. What we call "One throat to choke". Plus, we're a 100,000 person corporation and we eat our own dog food.

Here are a stack of white papers that go into far greater detail than I could on why your hetrogeneous environment has a MUCH higher TCO than our homogeneous environment. But, it all boils down to: We save you a ton of money and reduce your company's risk at the same time! That translates to increased profits which of course leads to a bigger bonus for you.

So, how many would you like to order? My director has authorized me to offer you an unusually substantial discount if you will sign the contract today. </SALESSPEAK>

#

Re: I laughed myself silly, so true

Posted by: Anonymous Coward on October 08, 2005 02:44 PM
Very well written! I've heard that speech for five years now. Each time management buys into it - which is mostly every time - it ends in tears because

a) they don't ask themselves "What is our business, and which pieces of software strengthens our business?" They solve the wrong problem.

b) they don't want to learn what they buy, but leaves that to the techies which already hates it because it doesn't solve the right problems, uses it's own authentication, authorization and audit module instead of system wide directories, all data is stored in proprietary binary formats only or use it's own proprietary database in stead of a system wide SQL database or similar. They don't solve the right problem, and introduce new problems.

c) They out-source maintainance because all the new problems on top of the old problems are to heavy a load for the inhouse techies to handle.

In short, real needs are not handled, motivation is shot to pieces, as the number of opportunities to actually get on with business errode.

#

IPO! IPO! Wooo WooO! I get a new pretty pony!

Posted by: ThoreauHD on October 08, 2005 08:23 PM
Let's take a guess who these people claiming to own Nessus and it's plugins are selling out to. The sucker is gonna fork off the bat, no doubt, but let's entertain the soon to be short future of this company.

What product would benefit from vulnerability scanning large networks and charge 20K a pop to do it(so cheap it's used in at least 3 companies worldwide!). Hmm.. Maybe.. Cisco? Packeteer? How exciting for you. Kudos and who cares.

I hope his few big companies pay him well, because he's just killed his product from running on 90% of the real companies on this planet. 2 points dude(thumbs up!). Your the man.

I think we should ask the people that contributed code to the engine and plugins exactly what license their programs are under. Ooo.. now isn't that a pickle..

#

Nessus 3.0 to abandon GPL licensing

Posted by: Anonymous [ip: 84.211.247.253] on September 06, 2007 02:03 PM
Hmm! After other discussion it is said that there is no way to change from GPL to non gpl. As soon the programcode has become GPLed it stays GPL. Even the owner cannot change it from GPL to non GPL. That is if it is based upon the original code!

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya