Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tripwire Going GPL

Posted by ryuzaki0 on from the say-kew-rit-tay dept.

Johnath writes: "Maybe it's a little early to break out the party hats, but after noticing that a new version of Tripwire had been released, I checked up on their site and noticed they are going to open source it. Supposed to open it up this fall, and under the GPL no less." There are a lot of people who swear by Tripwire, it'll be nice to see this come to fruition. One thing that's odd - This only applies to Tripwire for Linux.

1 of 52 comments (clear)

  1. This is neither a huge surprise, nor a bad idea by Dagmar+d'Surreal · · Score: 4

    Tripwire is a security tool. That having been said, these sorts of tools have quite commonly become *much* better by being open source utilities, since there are definitely a lot of people running around on lists like Bugtraq who go into a positive frenzy over making security related patches. Tripwire is also one of the few integrity checkers that many people are familiar with using, and while a skilled system administrator who can code in C could probably come up with something very similar in a few weeks, it's not really all that feasible. Anywhere where this sort of integrity checking would be _demanded_ to ensure certain policy requirements, the system administrators are likely to not have the time necessary to develop such a tool (at least in most companies, time for R&D is pretty limited). GPL or no, it's these same companies that are most likely to be looking for a support contract for such a tool, because places that have policies requiring this level of attention to detail are also quite likely to have made it standard operation procedure to get support contracts for every possible piece of software they use, no matter how small. (This all falls under "assurance" guidelines by my book)

    GPLing this code will make it more friendly to the freelance security consultants, as well as those who aren't so freelance because now they'll have a chance to exercise their paranoia and examine the code themselves to see for sure that it's good and solid.

    ...not to mention that Tripwire has recieved a great deal of help from the hacking community in the way of pointing out potentially weak implementation methods, and generally just making things tidier.

    So I don't see making the code GPL making any serious dent in the company's profit model, especially with more companies starting to get used to being able to obtain support contracts for software they didn't have to actually pay anything for. It's only recently that you could even think of being able to obtain support contracts for software that wasn't backed by a company whose profit model was based on the sale of the software, which makes the whole trick of making certain there are experts that can be called on in a flash to help solve problems when something goes wrong highly improbable, if not impossible.

    I know it might sound silly trying to obtain a support contract for Tripwire, but at the last company I worked for, such a thing would not only be desired, but not too terribly hard to get upper management to sign off on. (For some reason the bigger a company gets, the less likely they are to want to trust the word of their own employees alone... but then again, that quickly falls under the umbrella of assurance in a good set of security policies.)