Slashdot Mirror
Nessus Closes Source
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
That should be the GNU/OSS community
/End Joke
[Fuck Beta]
o0t!
No, fork.
How well an OSS product fares as a closed source product. Bets are on: better or worse a year from now?
News at 11!
They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.
So.. are they ripping everything else out, or are they rewriting from scratch?
And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.
.
"The problem appears to be that Tenable Network Security... isn't making money because it's competition is simply repackaging their product."
It's means "it is." Possessive pronouns in English do not have apostrophes (with the unfortunate exception of one's). You meant to say its.
See Wikipedia.
If their competitors were just repackaging their software, they should have put some massive bugs in it.
OK, change your license so your competitors can't repackge yours stuff and publish the source anyway. Nah, they just blame the GPL instead of saying "we don't want to show our source anymore".
So (provided there are interested developers), the last GPL-licensed version will likely be forked and a new project formed... I'd guess "gnessus".
SATAN and SAINT appear to be gone. Now Nessus. What other projects are out there for security auditing tools? This is not a good trend.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Or rather, using the GPL as it was intended, to prevent vendor lock-in.
So... who will be setting up a fork?
This sort of thing almost always results in someone making a fork. Is there really so little OSS involvement that a GPL fork (from the most recent GPL version) would not be able to compete with the closed app?
# cat
Damn, my RAM is full of llamas.
Hopefully, the time will come when Renaud and crew feel that they can re-open the code, possibly under GPLv3.
The "loophole" is an intended result of the GPL. Since this is it's purpose it makes no sense to call it a "loophole" whether you like or dislike the GPL.
In any case, they are perfectly free to do this. They are also free to release the source code in a way that does not have this "loophole", such as by using normal copyright. Equating "being able to see the source" with "GPL" is a bit of FUD.
That's not a loophole, that's how it's supposed to work.
He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL.
His code, his rules. As long as he's not including code that others contributed under the GPL, that is.
The question is, has he either cleared the code, acquired copyright, or licensed it from the authors?
Lacking <sarcasm> tags,
Been today the same day that Snort, a very succesful open source company, has been adquired by CheckPoint- i think Nessus announcement has more to do with Teneable Security business plan and commercial skills rather than with the viability of open source software as bussines in general.
It's not the source code being closed that is the main problem with software, it's the data formats (which doesn't apply here). Programs are just the file editors and/or viewers of data. Going from open source to closed source with a free binary release instead is just as good in this case.
I seem to remember seeing a /. post about some OSS projects getting screwed because companies are using/modifying the code but not releasing it, only using it for services. To that end I also heard that GPL3 plans to fix this? Maybe someone can post actual links to the relevant posts.
1. They get no more free code, since people can't hack on it and improve it for themselves. 2. It's less secure (possibly), as less people have access to the source code to patch/fix it as bugs and holes occur.
that they've done the QT thing and made sure they have copyright to their entire codebase (not hard if, as they claim, the FOSS community hasn't been contributing much). Then they can take their codebase, add to it and rerelease under a closed license. You're right that they can't do anything about the stuff that's already in the open tho.
This is only a dodgy strategy if anyone *has* been contributing, and didn't turn their copyrights over to TNS. Anyone gonna put their hand up here?
For the love of God, please learn to spell "ridiculous"!!!
It seems to me they wanted the attention and publicity 'open source' brings without the consequences that the GPL clearly spells out.
Exploting a loophole? Give me a break, it's there for a reason. For which, obviously, these people havn't a clue!
This is not a "loophole in the GPL". It is exactly how the GPL, and similar OSS licenses are intended to work. If you don't want other people freely using, modifying, and even selling your software, then do not open source it.
Also, it seems rather rich that they are selling a product that depends on a number of other OSS projects (expat, gettext, gmake, libiconv, libtool) and complaining about people making money off their code.
- H
Considering that in EACH of those cases, the software IS distributed, they could have went after the offenders. Perhaps they can't afford lawyers to do so- I DID mention in numerous threads before that Copyright, etc. is only as good as the legal effort you can muster to defend your IP rights.
I don't buy this as a reason, mind- because the people in question are still infringing and making it free as in beer won't change the situation any more than it is now. You have to go after them for their infringements- licenses don't change this. If it were the case, MS (or any other BSA members, for that matter) wouldn't be so worried about piracy of their products...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
What did happen to xfree86 project when they changed thier licensing?
Well, I just assume the same will happen with nessus, except if there is no interest in nessus when there was on an X server.
I gave up with the idea of an useful sig...
Sad for them, and sad for the FOSS community. As it is no doubt only a matter of time until they become poster children for Bill Gates assertion that FOSS is communism and does't work.
"Stop throwing the Constitution in my face, it's just a goddamned piece of paper!" - George W. Bush Nov. 2005
Anyway, speaking as a long-term user of Nessus, I have had direct personal benefit from it being Free; it enabled me to get familiar with it on my home network which (along with snort, nmap, ipf, tcpdump and a load of other Free stuff) enabled me to move into network security five years ago. Of course, it's Renaud's code and it's his right to release it under whatever licence he wants; but it's a shame. Let's hope someone's prepared to fork the GPL'd v2 codebase and start adding the improvements it needs.
Of course, I'm assuming that all the plug-in authors are happy with this. When Tenable released a closed-source Windows port (NEWT) I queried the position on a mailing list somewhere, I forget the outcome but it seemed odd to me. It seems really unlikely that Tenable would do this without the plug-in authors' agreement,.. anyone got info on that?
With my 'Free s/w zealot' hat on, I have to say that it'll be interesting to see how the community responds to this. In my copy of the FSZH (FS Zealot's Handbook... version 2 or later :) it says that a benefit of GPL licensing is that the community can pick up and continue with the remaining GPL'd source. Are there any coders out there interested and motivated enough to pick up the GPL'd project? It'll be interesting to see. Fingers crossed....
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
com.com is registered to CNET networks. Same as news.com.....
Already a raftload of precedents in the Courts that show that this is the case. Reformatting the source code doesn't change the literary work in a sufficient way to count as a seperate work.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
A quick whois confirms that news.com and com.com are both owned by C|NET. Nothing to see here, folks.
I used to read Caltizzle. I was a lot cooler than you.
Open source software has worked pretty well in areas that provide services such as operating systems, development tools and server software because in those areas the people who need them also need support and have a vested interest that they are aware of in supporting the tools they use. I don't think that desktop software which is typically sold, however, works well in that respect. Most users have no reason to believe that they have a vested interest in supporting OpenOffice and I would bet that if Sun dropped their support the project would implode.
Let's be serious about this. The GPL provides **no** protection to companies whose business model is built on selling software that doesn't need support contracts or anything like that. If selling software is your business, then the GPL is basically a suicide pact for your company and the same applies to all other open source licenses because your competition can repackage your millions and billions of R&D dollars/Euros/Yet/etc. and you get... precisely what?
It's funny how much having a girlfriend that you are working toward marrying and realizing that your idealism cannot feed your children will change your perspective on open source software. I like Linux, love Tomcat and am eager to give PostgreSQL a shot and I run my own nightly builds of Firefox, Thunderbird and Sunbird on my Windows laptop, so I am definitely not some fanboy for either side. So let me just say this to most of the zealots: OSS is never going to win in the long run because developers have families to support and will not slit the throat of the goose that lays the golden eggs (though sometimes they seem a little bit like bronze) that pay the bills and support one's spouse and children.
Get to that point and you'll realize that Microsoft is good because they create work for you. Same thing with Oracle, Sun, IBM, etc. Infrastructure can and in some areas should be open. However, no one is going to make money on open sourcing things like Quicken or TurboTax and other common user apps unless they are utterly useless without some expensive services provided by the company that makes them. How else are they going to make money, eh? We ought to eliminate software patents and EULAs, those are things the OSS movement is right about. However, the OSS movement if successful (and I doubt it will be in the long run) will end up making it very hard to make money in software development and maintanence. Good for this company that they realized that before it was too late. I'm glad that they chose to protect their employees and stockholders instead of pursuing Stallman's dream of a world in which software developers effectively cannot make a living directly off their code.
Click here or a puppy gets stomped!
That's pretending like slashdot.com is pretending to be slashdot.org.
Keep in mind that the GPL is assigning a license, not the copyright itself. The original copyright owner on any copyright code can assign a new license to the code at any time. So long as all code that was contributed has had it's copyright assigned to them, they can do what they want. Otherwise they'd either have to obtain copyrights to that code now or gut that code from the product.
This sig has been temporarily disconnected or is no longer in service
Such copying of copyrighted works without permission is copyright infringement, and is, I'm afraid, quite against the law. The copyright holders can press charges for infringement at their leisure, and could probably win (since there is now documented proof that they have been copying the works without any permission).
File under 'M' for 'Manic ranting'
Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)
-- Sig down
Choice 1) Pay (a likely non-existent) legal team huge amounts of cash to come up with a new license that is legally sound in all of the respects that need to be accounted for in their position.
Choice 2) Close source code.
Seems to make sense to me...
It's not a loophole, but it's quite clear that it's not what they thought they were getting into. Ultimately the benefit of the GPL to a business is being able to share the development cost. IBM is only paying for a portion of Linux as is RedHat, etc. Thus their ultimate cost is lower for the product they deliver.
It's clear here that there's no sharing of the work here. They do all the work and get little benefit. What's interesting about this though is what happens to the previous Nessus release. You've got these companies out there that are using it, so they have a vested interest in maintaining their release. So, they may end up developing the community around the previous release that Nessus proper never managed to do.
This sig has been temporarily disconnected or is no longer in service
How long until a fork of the currently released nessus source code becomes available? Closing it's source is absolutly ludacrist when a deriviative project could easily become available.
My UID is prime is yours?
What happens to the (albeit minor sounding) modifications which have been offered by the OSS community.
I realise the blurb says the competitors keep on taking, but if even 1 line of code has been added by someone else, then he needs their permission before he can close the source off surely?
The alternative is to remove the offending lines of code, but his actions seem akin to taking the Linux Kernel and making it closed source without a care for the copyright holders.
The modifications were given to a GPL project under the assumption it would stay as GPL.
Additionally, any GPL code which he has used to build up his application (thinking "its GPL, so I can borrow GPL bits") also needs to follow the same rules.
His comments make it sound minor, but it might be a major sticking point especially if the code isn't audited correctly.
"Virtually nobody has ever contributed anything to improve the scanning engine over the last six years," he wrote, noting that there had been minor exceptions.
He cannot just close it up without a major hunt through the code.
liqbase
Whom....cares?!?!
Click here or here.
In a sense, many of the potential benefits of open source are just that, "potential" benefits. People say that the code is more secure if more people look at it, and better if improved and patched... but that assumes that other people do look at it, do make improvements, do fix bugs, and do return those improvements.
But the fact remains there are a lot of open source projects and a finite number of people with the time and the ability to perform those actions...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
They weren't getting any notable contributions from the community so they don't lose anything there. On the other hand, if they can eliminate their competition they can make more money, hire more developers, etc.
This sig has been temporarily disconnected or is no longer in service
They have a batch of closed-source product offerings like NeWT (Closed, for NT/XP only...), NeVO, etc. that are priced at rather HIGH pricings so that people just simply can't afford the damn stuff unless they're as big as someone like IBM, TI, etc., it's no small wonder that they're hurting financially.
Sentiments aside, they look to be a small player that priced themselves out of the overall market, hoping to score support contracts for an Open Source project that was to showcase their abilities and hoping to sell at least a handful of this other stuff at an unrealistic $9-10k per instance. The closest thing that competes in price is only $4k and there's other solutions that ARE cheaper.
The reality is that Nessus will probably be forked, Tenable will keep sliding into the hole not because of the GPL but because of their own pricing themselves out of the market, and life will probably just go on all the same.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I would hold a headline or article to different standards than I hold a casual poster to.
---
I think "to say" is okay grammar in this context. Message boards are similar to talking as much as they are to typing. In any case, it would probably be "to write" instead of "to type" tho I lack the grammatical sophistication to tell you why.
Since you asked...
You typed:
If you understand what the originally writer
Which would be
If you understand what the original writer (no ly)
You probably don't need "have". Succeeded is past tense anyway.
then they have succeeded. (then they succeeded).
Could probably argue that you would "develop better writing habits" instead of just "better habits" (what kind of habits?).
Oh... and 2 spaces after periods (... funny). Feel free...)
It is a lot easier to read text with 2 spaces. Using one space makes the writing run together. It all seems like the same sentence. The extra space makes the text easier to read. So I always use two spaces except in this paragraph.
---
The most annoying problems out there for me right now are...
LOOSE used instead of LOSE. (I win! You loose!)
ROUGE used instead of ROGUE. (He was quite a rouge, stealing!)
TO instead of TOO. (It was to much. He went to far.)
Not using paragraphs (I usually just skip these rather than try to parse out what they are saying).
---
I agree with your basic point that grammar comments are usually unproductive and even unreasonable. I wouldn't have commented on your post but for that what you asked (hehehe).
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
If the GPL is hurting you because of commercial competitors, why now offer a dual license?
MySQL and Qt are doing it well. Quid Pro Quo (something for something).
Your code is GPL for GPL users, and it's commercial for commercial users.
So if your usage/derivative is GPL, then you can use the code free.
If your product is commercial, then you must license the code.
It keeps you viable to the OSS community and may help the bank at the same time.
On a computer or under a hood.
Is this Kool-aid free as in beer or free as in openCola?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
They gave it away already. They can create a proprietary branch, but taking something out of the public domain requires large bribes to congress. It amazes me that folks still use the GPL. I attribute it to mental laziness and hokey religeons (w/ ancient weapons).
Perl's Artistic License and the Apache License are better licenses.
BTW - I am a lawyer and this is personal opinion, NOT a legal opinion.
What? Me? Sig?
Using GPL and still wanting to sell "a product". GPL goes well with the service / customization / maintenance business model.
The only guys who were able to do business with a GPL product were MySQL AB. And this because they released it dual-licensed.
I responded for the Nmap Security Scanner project yesterday. We aren't planning to follow suit. Nmap has been GPL since its release more than 8 years ago and I am happy with that license.
I agree that this is not a good trend, and the question is how to reverse it. It is important to note a key reason Renaud gave: the lack of community involvement. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar model doesn't work so well with everyone taking and not contributing back. In the Nessus response, I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.
Meanwhile, I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.
-Fyodor
Or like goat.cx pretending to be goatse.cx
Contrary to a number of comments I'm already reading, Tenable Network Security can do this, as long as they control the copyright to the entire body of work. This would be impossible for some GPL-licensed software for which the copyrights to separate contributions are owned by their contributors. If I am not mistaken, I think Linux falls into this category, so Linux could not be taken out of the GPL unless everyone who holds copyrights over the many parts of the source code all agree on the new license. Won't happen.
For software that is copyrighted by a single entity, be it an individual or a company, the license can easily be changed. However, anyone who obtained the software under the terms of the previous license cannot have the rights that were granted revoked. This means if you downloaded the software and source at any time before the license change, congratulations. You have the GPL'd project in a relatively recent state, and the GPL applies.
This presents an opportunity to fork a GPL version. If enough people are interested, the fork can eclipse the original project, as X.org did to XFree86 when the latter changed its license.
When the 2.2.5 version of Nessus was released, Brian Weaver (formerly of OpenNMS fame) was puzzled why the GPL version wouldn't scan. After hacking through the source code, Weave found the answer: strong evidence suggesting Tenable Security, the sponsors of the GPL version of Nessus as well as a commercial version, deliberately crippled the GPL version of Nessus. With stunts like this, would you trust Tenable to protect your network?
My UID is also prime.
Tonights forecast: Dark. Continued dark throughout most of the evening, with some widely-scattered light towards morning
Yep, this is just one real-life example of why Open Source can only work for some situations but simply does not make sense for others. At the end of the day developers have to eat and have shelter (and provide such for their spouse/children) too.
Most people understand this principle. But the OSS activists seem to believe that smart developers can donate forever and should be totally selfless. Why is it only the developers? Developers who spent many years of their lives learning to be experts at their complex trade (programming) are expected to donate. Yet the typical help-desk types are "allowed" to charge for their consulting services when they pop a CD in a drive and install the OSS software for a client.
I'll admit, I'm a software developer. But, I know OSS activist guys who charge companies $100/hr consulting fees to implement OSS solutions that they don't pay a dime for. These guys are walking in to a firm, spending a day setting up a PHP server (or whatever) and walking out with a fat-ass paycheck.
But when a developer wants to charge for the software he writes the OSS community of activists starts hissing at him and brand him with some sort of corporate greed type crap.
Can somebody please explain this OSS-mentality inconsistency????
What I'd like to know is whether or not the competition did make changes to the source code, but kept the changes to themselves and figured they wouldn't be caught since the code they released is in ROMs.
That's just asking for people to start forking their (currently GPL'ed) software even more, which isn't really that good in the 1st place.
Nessus is nice & all, but you can write much more advanced programs in PERL, Python, or PHP5 even.
the only permanence in existence, is the impermanence of existence.
Tenable is profitable, has been for nearly three years, the article is partially incorrect. How would they stay in business this long if they never took VC? Look over at SecurityFocus, they are advertising for positions. Also, they are not charging for Nessus 3.x. This change mainly impacts their competitors that use Nessus.
Dolphins Develop Opposable Thumbs - Humanity Screwed
What some open source zealots, and the vast majority of open source "consumers" don't recognize is that programmers need to eat to. Until these "consumers" stop taking advantage of open source, and start paying... Open source will stay in Microsoft's (and other big corporations) shadow, and very likely even shrink.
... It is not an easy life, I am $200k or more in debt and drive a 1989 CRX Si.
Nessus is not the first, and not the last. Even Hans Reiser has this problem:
See here... Hans Reiser: Doing GPL work is doing charity work [...] That should be and could be changed, but for now it is so. I have done my share of charity, and I would not have a problem doing proprietary work. I think people should keep their lives in balance, and that includes balancing charity work and better paid work.
Here is another: Mute file sharing. Not sure how long this experiment will last.
And one more: Daniel Robbins founded Gentoo linux, went bankrupt, got job at Microsoft
Either help these programmers feed themselves and their families, or expect other big and large profile projects to disappear and become pay-for-play.
I love open source, and contribute money to many projects -- but open source will just prove to be a fad that will start to wear thin on programmers as they get into debt and can't feed their families. The business case for open source software longterm survival is weak, unforunately.
m
I think "to say" is okay grammar in this context. Message boards are similar to talking as much as they are to typing. In any case, it would probably be "to write" instead of "to type" tho I lack the grammatical sophistication to tell you why.
I might argue, if I felt like arguing, that "say" implies verbalization which is an unwarranted assumption. "type" implies using a keyboard, which is an understandable assumption. "write" is most correct because it does nor assume the original author was typing, dictating, or using any particular input method.
If you understand what the original writer (no ly)
Ouch. Thank you.
You probably don't need "have". Succeeded is past tense anyway.
It is a little wordy, but not, technically, incorrect.
Could probably argue that you would "develop better writing habits" instead of just "better habits" (what kind of habits?).
Conversely, this was not wordy enough to be completely clear, but again, not technically incorrect.
Oh... and 2 spaces after periods (... funny). Feel free...)
This one is firmly a matter of style, not grammar. Given that I write to specific guidelines that require single-spaces after a sentence, I hope I can be forgiven this most un-stylish style.
Thanks for your comments.
I wonder if the lack of contribution is due to lack of enthusiam, or lack of experience. If the Nessus code (I haven't looked at it myself, nor used the tool) is hard to understand, then it might be hard for others to make contributions. Alternately, perhaps people just lack experience in the areas of security required to help develop Nessus. The skills required to contribute to say, Firefox or perhaps other projects would be very different. I myself haven't contributed that much to existing GPL projects, though I have submitted a few bugfixes to projects such as GnuGK and a few GPL codelets of my own in various other areas. Much as I'd like to help elsewhere, I simply lack the time, or, in having the time, the experience (and time to learn) required to make a significant contribution.
I think that, sooner or later, the OpenBSD team will come up with some security tools of their own. After OpenSSH, OpenBGP, and OpenCVS, perhaps it is time for OpenNessus?
Please correct me if I got my facts wrong.
Come on! I mean, Open Source is about ... open source. Keeping the software free may be a form of moral crusade for some, but when I releease software as open source, I do it for pragmatic reasons. Here's the code, use it, have fun. If some people get offended because their programs get used, but no one gives back, then too bad for you. This may be a two-way street, but moping and closing the source because "people just repackage and sell" will certainly NOT get people to contribute. Writing code, releasing it, and _expecting_ that people will contribute is a seriously flawed view of how the whole thing works. Might as well raise kids and expect them to pay back their bills[*]. If people find the code useful, they'll contribute. But this is still a market economy, and there will always be some people that will try to make a buck. I won't try and plug the BSD license, but dammit there's a reason why it's such a simple license in the first place -- it's pragmatic and realistic. People who really want to will contribute, but the others you won't get rid of.
The GPL is an excellent license to encourage everyone to play fair, and those that don't will get their fingers slapped. But I guess in the end that the Nessus folk do whatever they feel like: they developed, they released, and they'll just sulk in their corner and close the source. The earth still spins, and Open Source will continue to exist, just as it did before ESR started talking about "the community" or "us".
Sheesh.
[*] See the excellent "Alberto Express" if you ever get a chance.
Assuming Nessus could have gotten started without all the GPL software it used in the beginning, like nmap, do you think it would have grown as much in popularity if it was just another closed source scanner?
One of the most neglected aspects of contributions from the community is the advertising an application gets. Does anyone seriously think BitKeeper would have gotten to where it is commercially if it wasn't used for the Linux kernel?
What about the little problem that they are bound by the GPL, too? Having included any patches supplied back to them by anyone under the GPL, they are obligated to release any revision's source to the public, as soon as they distribute the revised software. Developers can't just bait developers with the GPL, then switch to a proprietary license when they decide their arbitrary expectations of benefit haven't been met.
--
make install -not war
Free as in Jim Jones
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
If you have the manpower and ability to create a fork and improve it to compete with Nessus 3 then why are you not already contributing to Nessus?
Fran
:):):)
1st 1st Poster of the new Millennium!
Please don't use "commercial" as a synonym for "non-free." That confuses two entirely different issues.
# Commercial
A program is commercial if it is developed as a business activity. A commercial program can be free or non-free, depending on its license. Likewise, a program developed by a school or an individual can be free or non-free, depending on its license. The two questions, what sort of entity developed the program and what freedom its users have, are independent.
In the first decade of the Free Software Movement, free software packages were almost always noncommercial; the components of the GNU/Linux operating system were developed by individuals or by nonprofit organizations such as the FSF and universities. Later, in the 90s, free commercial software started to appear.
Free commercial software is a contribution to our community, so we should encourage it. But people who think that "commercial" means "non-free" will tend to think that the "free commercial" combination is self-contradictory, and dismiss the possibility. Let's be careful not to use the word "commercial" in that way.
http://www.gnu.org/philosophy/words-to-avoid.html
I know this is off-topic, but could someone explain the "free as in beer" saying? Is it because we work for beer money and that's it?
Slashdot.. Land of nerds, trolls, and FlameBait..
This is something I've been thinking about myself. I have a pretty large web based application that I currently sell access to, and I've been thinking about open sourcing it, free for anyone to use and contribute to.
The problem though is I spend hundreds of thousands of dollars/year developing it, so I don't want John Doe Computer Geek to take it and with little to no investment undercut my prices and sell access to it on his own server.
Is there a license out there similar to the GPL that forbids someone from competing for commercial gain, or charity (free service) against the original copyright holder? This seems like a way to encourage companies to release their code, without putting their business model in jeopardy from doing so.
Open Source Time and Attendance, Job Costing a
Of course it is possible for a small startup to make money from GPLed software. Martin Roesch of SourceFire/Snort fame just made $225 million thanks to the GPLed Snort software that he developed. Also, Renaud at Nessus claims that all these other small companies and startups are making money from Nessus by selling and renting appliances, thereby depriving him of the revenue.
But, the thing to remember is that while any company could make money, not every company will make money. In fact the vast majority of startups fail regardless of whether they rely on selling GPLed software or selling hamburgers. We only hear about the successful ones because the losers are not interesting and then mistakenly extrapolate this into thinking that all or most startups are successful. It isn't like that and it has nothing to do with the GPL.
Renaud's company has failed so far but, he cites his loophole exploiting competitors as the cause. One must therefore ask, why didn't Renaud sell/rent appliances? Why didn't Renaud use the fact that he developed the software and has greater expertise to distinguish his company above the others? Why does Renaud only want to sell software that, up until now, was free? And finally, why make the binary version available for free but close the source when the competitors can still sell/rent appliances with the free binary versions?
The scary thing about this is a risk that has been pointed out in the past. The risk is that a GPLed project will use the resources of the community to develop an application for a company which will then close the source and reap the rewards of other peoples' work. This is a risk that is countered by the GPL folks by saying well they can't take away GPLed code. This is true, of course. But, the companies can take away the meaningful development work and disrupt the project so badly that it stagnates and dies. This is what is happening with Nessus and Snort right this very moment.
Thing is, while Nessus seems good, except for the points Weaver mentions about the plugins, they would be __nowhere__ as a product, with competitors like ICE and other professional security products. Think of the importance of placement of your product in a grocery store.
...as they pesumably did, they documented what external changes were introduced into their official realeases, in which case they already know what needs to be removed without a code hunt.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
The point of the GPL is to benefit everyone, not yourself :/
This is one of the counter-arguments used against the GPL. When people start crying "Everything should be OSS", here's a case to point to of it not working.
The GPL does create problems for commercial viability in many cases. You spend tons of time and money developing something, others then market the solutions for it, you get squat in return. This is a problem. The "Well make money selling support" argument doesn't work when others are selling the support better than you can.
Now, perhaps you are inclined to think this is fine. They are better at it, so they should make the money right? Except the only reason they can, is that you put in the up front investemant to actually make the software.
What this will lead to is people deciding that open source is not the way to go, or at least GPL-style open source. If it just leads to other people making money off of your hard work, it'll really turn people off to it.
The really cool AutoIt windows automation scripting project had to do the same a while ago.
In that case it was not a problem with the developers not getting paid for their work or not having any community involment. Instead it was a pride/credit issue. If you release your new version of your project, with some really cool new capabilities that it took you months to develop and suddenly a competing project takes all your hard work and simply copies and repackages it in a matter of days and it gives you none or very little credit (like a small mention on the source code, but none in the actual documentation, web page, etc), at some point you are going to get pissed off and dump the GPL. It is understandable in my opinion.
That actually gives me even more reason to be impressed at those who stick to the GPL regardless of these issues and simply "give" their work for everyone else to enjoy, disregarding even the need to get some praise for their work. That is a true and rare gift, who is hardly appreciated by most.
On his machines? Does he financially contribute to all the devs with all the apps? Donate to the kernel? Maybe he does, maybe he doesn't, I am forced to guess, but just conversationally speaking, he writes code and shared it freely,and I bet a nickle he's been using a lot of free code unrelated to nessus but just as deserving of support.
With that said, I would like a one cd distro (not 4 or 5 or 14 or on DVDs), a nice but not overly huge number of apps, and pay for it. Not a ton of money, but some, say 20 to 50 bucks, once a year release, tops. FOSS, but pay a reasonable fee, where all the loot received got divvied up between the distro packager and the app devs somehow, some formula perhaps. Maybe even select what I want from the vendor in advance (I want this desktop and this set of net apps and this other app and etc), it gets custom packaged as an iso and delivered,either download or a few dollars more snailmail and disk, allowing me to pay what I want for a "distro", and knowing that the payment got shared equally (to those who wanted it) with the devs and teams. I only get security updates for those apps for that years release then. Now, if you buy a distro, not much goes to the devs for the bulk of whatever is packaged, does it? with this idea, if I had chose to include nessus,in my custom package, he would have gotten my contribution towards his kitty. Multiple by thousands of people, it starts to add up. Better code gets more interest and purchasers obviously, so it's self regulating. Crapware and bloatware wouldn't garner as much interest, as it would cost you MUCH more. See, no fixed price, a floating price based on what YOU want and what has value to YOU, which also gives the devs incentive, as they can see what works and what doesn't. also make people want to contribute code to packages, to help out, because they would get a tiny slice then.
Think about how it is now, you'd have to go find all the paypal donations for a HUGE number of apps and various devs, etc. and then you would nickel yourself to irrelevant obscurity with the stoopid paypal fees if you wanted to tip them all. But the distro packager could do this as a good piece of his cut, and completely eliminate paypal, so the bulk of the money would actually go for "support".
There's got to be a way for the user community (who don't code much if any) to "give back" in an equitable manner.
Something like this anyway might be a possibility.
For Nessus to close the source in the next version, wouldn't they have to completely rewrite it? If Nessus 3 is derived from the Nessus 2.x and prior GPL codebase, doesn't that require that it also be released under the GPL?
I'm not sure id call it a loophole, as the very intent of the GPL is to allow others to do that.
Good thing they didnt use the BSD license, they would really be bitching..
Hey, thats the price of being 'open', live by the sword, die by it.
---- Booth was a patriot ----
is is not opensource there is not way I am going to use it.
not cause I am a GPL fun, just because I dont use security tools that I cant see for myself the code.. sorry. my organization wont be upgrading.
Screw them.
So, nessus licensed their code under the GPL. Assuming they owned the copyright to the code at the time they licensed it under the GPL, the license applies to anyone who uses (copies and distributes) that code. That means if you copy (ie, with a computer onto
the memory of a hardware device) their code, you must give the nessus people the changes you made or be liable under standard copyright law. It seems to me, and I'm not a lawyer, that even if said infringing companies don't distribute the code by offering it
as a service they provide to customers, they still, at some point, copied it onto their computers or hardware products, and thus owe nessus any source that they changed.
This means:
Companies have no competitive advantages based on software features. They can
maybe offer better service techs to go to a customer and scan the networks, which
seems like fair competition if that's what nessus's business model is. Maybe
the nessus team should change their business model to:
Nessus: "Company, you know you can't compete with us on software innovation.
We wrote the code, we're experts, and we understand it better than you.
Also, any innovations you make, you have to give to us."
Company: "True, but you guys can't compete with us on availability of service
technicians. You can't offer the same inexpensive, quality service
and guarentee that we can."
Nessus: "I've got an idea, you pay us fairly as consultants to your R+D department,
and your product will be even more marketable with the added expertice we
can offer. You can spin it as PR like, 'My Company makes the best
scanners because we have THE AUTHORS of nessus working for us'. Also,
code changes will be licenced under the GPL, but you would be doing that
anyway."
Company: "Wow, everyone wins. We sell a better, more marketable product, we don't
throw R+D effort away, nessus staff gets paid, the community gets a
great free product, and programmers can feed their families while
also doing GPL work. This is truly utopia."
Ok, so that scenario doesn't seem too implausible to me. Am I crazy? Or does nessus
just need to figure out what their REAL compeditive advantage is.
I have a dedicated Nessus scanning station at work, running on Debian/PPC on a G4 Cube.
Why do I have an odd feeling that this platform isn't going to be supported any more. Hell, I suppose I'll count myself lucky if there's anything but RPMs for installation, let along "oddball" architectures like mine.
I guess everything good comes to an end. Figures that this would happen right after I talk the boss into ponying up the cash for a plugin subscription. Pffft.
--saint
The CD-ROM put encyclopedia salesmen out of business.
Um, no it didn't. My brother went door-to-door selling 'em last summer. Damn good money if you can do the sales pitch thing.
-everphilski-
In TFA they state that Nessus version 2 will remain under the GPL. Their new version 3 will not be open source or GPL.
At least one person - Dana Epp - alleges that there is a REASON why there are no ouside contributions to the scanning core engine:
t ml
http://silverstr.ufies.org/blog/archives/000864.h
Dana alleges there wasn't much give and take between Nessus and "the community" which discouraged any contributors.
[In 2002] "I was about a quarter of the way complete the port [to windows] when I ran into some issues with the NASL scripting and I tried to contact Renaud and his crew to point out some issues I found. The help I got? Squat. Nothing. Barely even communicated with me. I only ever got a couple of email responses saying "I was free to do it" when I asked if I could do it in the first place, and a follow up to an issue I found with a quick thanks."
"Screw you guys, I'm going home."
What they can't do is use any code contributed by anyone outside the company. That code they'll have to re-write since it's licensed under the GPL and doesn't belong to them.
Even easier than that: They can go to the authors/copyright holders of that code and obtain or buy an additional (non-exclusive) license from them - to use it in their closed follow-on product or what-have you.
Then they only need to strip out and replace any stuff for whichthey can't identify the copyright owner or that is owned by somebody who refuses to give the extra license.
If I were in the position of such an author, I'd say "Sure. Price is what you'd have paid me to write it as a closed-source work for hire under a T&M consulting contract. Call it $xxx. Be sure to clean-room it if you decide to replace it." And I'd give them a reasonable price, best-guess for how long it actually took me. Then they can decide to pay that, bargan me down, or try to write a replacement for less. Since they get proven code and no hassles, paying up would be a bargain even at my closed-source consulting rates. B-)
Seems fair: They want to play a closed source game, they pay closed-source prices for closed-source code written externally.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
First the difficulty making money off their product. IMO they did a poor job of marketing whatever it was they were selling. From their website it is difficult to figure out not only what you are paying for but when and how your supposed to pay. I think they were trying to sell priority access to plugin updates or something like that.
They need a big BUY NESSUS front and center on the website if they plan on selling anything. And they need to be very clear and up front on exactly what your buying and who should be buying.
Second I'm not surprised to see them change licensing as their current licensing seems incompatible with the GPL and the open source movement. Try downloading the package and read the licensing.
That said I've checked out nessus and I think they have a nice product. Its disappointing to see this change of heart but I still hope they succeed.
I was about to go kick off Sussen but it seems MMG Security have beaten me to it:
Created On:24-Dec-2004 01:24:29 UTC
Last Updated On:26-Sep-2005 11:55:35 UTC
Expiration Date:24-Dec-2006 01:24:29 UTC
They've just released on 26 September 2005; hopefully it's a fork of Nessus rather than an unimaginative name for a new project, but I suspect the latter.
Who the fsck are Tenable anyway? I haven't heard of them before today and with any luck I won't hear of them again. If they didn't like the license they should not have released their Intellectual Property under it, and then someone else would have and they wouldn't have enjoyed the free publicity. Have they not seen how well MySQL is doing off the back of an Open Source product? Sounds to me like the problem isn't with the license...
This raises an interesting question about vulnerability scanning though... who could really care less about the scanning engine or how long it takes - the patterns are where it's at; so long as we keep the patterns up to date security doesn't suffer at the hands of this greedy company.
Incidentally, I like the way they're still advertising Nessus as 'THE Open Source Vulnerability Scanner' on their site.
The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.
I have to disagree. I'm a CISA (certified information security auditor) and have used Nessus in audits. About a year ago, I provided feedback regarding Nessus's tendency to damage production services, even in safe mode. These occurances were not Nessus's fault, but rather the consequence of very poor coding in various network devices. Often Nessus would cause old HP printers (HP Laserjet III was notoriously vulnerable), cheap network fax appliances, and in a couple of cases, Sonicwall firewalls to completely lose their configurations and reset to defaults. 10+ year old printers have a bit of an excuse in my book, but Sonicwall, which advertises as a security product, had no legitimate justification for this behavior. We were able to confirm this from outside Nessus scans as well.
I began reporting this behavior to the Nessus group and suggested a database of vulnerable devices to prevent analysts from getting in repeated hot water. The Tenable folks were not responsive at all and indicated their fear of civil liability due to potential disparagement of network equipment vendors products. Although I referenced numerous other sites, as well as the alternate "compatible device" approach which countless operating systems take, the idea was ignored. I did receive numerous emails from other analysts who had the same concerns.
Teneble has done a good job pushing away its user base and unfortunately moves into a hypercompetitive world of better proprietary tools. I wonder if there's an impatient VC pulling their strings.
I'll definitely support any open source effort that continues with the GPL code. How about calling it Hindmost (for all the Ringworld fanatics out there).
*scoove*
They could keep their code GPL'ed and sell the updates/checks/scripts as their services! WTF! THAT's opensource... everybody could help create a better engine and companies would sell the security tests.. of course someone would release GPL'ed tests .. that's for sure. But that's opensource... I think that's just an excuse to close the code, after community has done something on it for a while.. something like a thank-you-for-everything-but-i-dont-need-you-anymo re...
Being a newbie to Linux in general, I had some hopes of installing Nessus onto RedHat but I kept getting errors. I got the RPMs from atrpms (I think that's the site) however, it keeps prompting me saying there are dependancies and that I can't install before THOSE are installed. And then I wind up trying to install everything I can, with no luck -- and I keep having issues.
So if anybody wants to give me a hand installing it or some pointers, and keep in mind, I'm a Windows-only user (trying to make the switch!), I'd really appreciate it!
The price is always right if someone else is paying.
This is where trademark law becomes handy. If you trademark the name of your GPL product, you can sue those companies that use your name.
I would speak to a lawyer first, or at least read a few books on OSS licenses. There are a number of conditions in the Artistic License that are not inforcable.
How about the following new license ...
... one million dollars ....!
Nessus is subject to the GPL except in as far as it conflicts with the following terms:
1) All versions released commercially, except in accordance with clause 2 below, must bear the tag line "based on a product of the Nessus team - why buy it anywhere else when you can get it from the experts!". This text must be used in all advertising in the same font as the product name. It should be displayed on screen at all times when any textual element (which term includes graphical letter forms) of the program is visible to a user.
2) Commercial distribution can be made without adhering to clause 1 if the following terms are met:
a) The tag line "based on a product of the Nessus team" appears in at least 11pt text on any marketing literature.
b) You pay the Nessus Team
Or basically use the BSD (with advert) license.
Oh, and using a hugely complex configuration file (cf. httpd, sendmail!) will net more consultancy fees.
Like providing annual updates, for instance? An open source engine where you pay yearly for forms, instructions and rules would make a good model. Currently, vendors are too busy competing on peripheral things like interviews and eye candy.
Another, perhaps better model would be for the government to provide the forms, instructions and rules in machine readable format at no additional charge. Then, both open source and proprietary programs can compete with engines to execute them - providing eye candy and interview fluff, or not according to preferrence.
That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.
I guess they didn't gain anything from Linux, libwhisker, nmap, Bugzilla (MPL, I know - but they use it, and the argument still works), or any of the countless other open source projects. Why is it that coders always feel they don't get their just rewards? Why ever release under the GPL to begin with? Didn't gain anything... pfft.
Nessus gained a reputation as a premier vulnerability scanner because it was open and free -- period. Nessus isn't terribly more special than Retina or ISS Internet Scanner. Look up "vulnerability scanner" in google and your first hit is Nessus because it was free AND open. Had it just been free it never would have gotten off the ground. Seems to me Linux probably wouldn't have gotten very far either. Hey its their code (I guess), so they can do what they want with it. I guess they just weren't making enough of their own black box implementation - but they'll need to have some insane tricks up their sleaves if they think they'll make money against whoever forks Nessus 2.x and keeps it free.
Hell the only reason anyone buys ISS's scanner is because it ties in with their whole SiteProtector line.
*shrug*
Some people do manage to make some money from their open source projects... SourceFire. Odd day in open source security land.
http://windows.scares.us
You'd have to be pretty trusting to allow a closed source vulnerability scanner on your network.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Dang, I just submitted this. Ah well, perhaps I'll get a dupe...
Slashdot has now silently slipped into the next phase of its existence, where visitors not only expect but hope for dupes.
Fully licensed blockchain psychiatrist
The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product.
Is the competition following the terms of the GPL? Is the competition providing the source code? If not, revoke the license for not following the terms of the license. If they are simply repackaging the code verbatim, use that knowledge against them. That's what competition is about.
"So in that regard, we have been fueling our competition, and we want to put an end to that. Nessus 3 contains an improved engine, and we don't want our competition to claim to have improved 'their' scanner."
If it's a false claim, sue them. If they really made improvements, enforce the license. Take their improvements, and merge it into your product. They must release the source code if they release their product. Otherwise, revoke their license. If their don't comply, sue them.
So in the ideal situation, you and your competition will be providing an improved product overall, sharing each other's improvements until the product becomes the defacto standard. I just think that there was a lack of vision and there was no real understanding of the GPL.
Coderz 4 Life
He even had to contact people around (who found security bugs) and ask them to check if Nessus check was valid for certain vulnerability. He did contact me twice, and I did test/review the check, but I never contributed anything to Nessus.
:), I simply never wanted to make it easier for those idiots to perform tasks they were not intended to do, in the first place.
Why?
In all honesty - because of the reason I went out of "security business". It became a business, where every idiot would try to take a "piece of security cake", even if they were complete idiots without clue about anything related to security. Or more precise - "it became a business".
Although I adore Nessus, and used it on few occasions (prefer to do things "by hand"
I admire Renaud for actually surviving this long with GPL license, and I sure admire his dedication to Nessus.
He is right for doing this, and I wish him all the best.
OK, the Sendmail cf is truly mind-taxing, and the manual equally so (to me at least), but I just don't get what's supposed to be so insanely difficult about Apache's config. I, at least, have always found it to be one of the most understandable configs out there (apart from mod_rewrite though) and the manual is excellent. What's the deal here?
BIND config - now that's a candidate for an Extreme Makeover if I ever saw one.
Classical Management just does not understand OSS licenses. It is possible to make a profit from OSS licenses. Still those classical managers want to avoid OSS licenses in favor of classic closed source licenses.
OSS Business Plans are something that classical managers do not understand. Sure the source code is open, and available for download for free, but you can sell the tech support, manuals, training, CDs you burn the software on, other merchadice related to the product (like those Tux dolls and Tux t-shirts that are so popular with Linux), and even bundle hardware with the software and sell the hardware and software in one package (like their competitors did, duh, why didn't they think of that?)
The Windows version of Nessus is commercial anyway, so they must be getting burned by the Unix version?
Oh, BTW, isn't it possible to sell GPL code as a commercial software like all of those Windows environments based on WINE, like CrossOffice, WINEX/Caldega, etc? I mean if that is the case, why drop the GPL license? Or did those modifications on WINE get released from the GPL?
To me, this is not a failing of the GPL, but rather a failing of classical management. There are more modern and better types of business management out there, that leave classical management in the dust. Yet people like me who practice the new forms of business management, get blackballed by classical managers, because we are a threat to them.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Thanks for comming to the party. Thanks for leaving such a wonderful gift.
Live long and prosper,
Mike
Thier main complaint was that the competition was selling thier product and the FS model wasnt contributing enough.
Lack of contributions could mean two things: the users were "leaching" or the product was really that good, i think the later because other people were selling it.
You could also assume the competition was better at bringing their product to market. They should attempt to make a deal with the competition to market it and they will develop it.
Everyone wins bigger.
I'll give you THE REASON why there wasn't much of a community around nessus:
Renaud
Yes, that's right. Renaud himself. Schizophrenic, anti-social, flaming Renaud. Let me illustrate:
A few years ago the company I worked for wanted to provide Nessus scanning as a service to people. The CEO himself wanted us to be good citizens in the OSS community (he was a techie before he got into management) so, not quite understanding the GPL, he personally sent an email to Renaud asking if it was ok to do such a thing. He basically got "ya, sure. just tell people that you use nessus" as a response. Of course, providing a service using stuff under the GPL is perfectly legal, regardless of whether or not you modify source code (which we never got around to doing anyway).
Fast-forward a few months. We're creating the service. We join the mailing lists and start asking a couple questions. Almost instantly Renaud flips out. To paraphrase: WHAT THE ____ DO YOU THINK YOU ARE DOING USING NESSUS? WHO THE ____ DO YOU THINK YOU ARE? COMPANIES CAN'T USE NESSUS TO PROVIDE SERVICES! ESPECIALLY IF YOU CHARGE FOR IT! SUPER-ESPECIALLY IF YOU MANAGE TO MAKE A PROFIT (and don't give us a large cut)
Ya, ok. Whatever. Renaud subsequently (in emails to our CEO) threatened legal action against us for things such as "using nessus." Legal improbabilities aside, that totally spooked management and alienated myself and the rest of the development team. Several of us have participated in other OSS projects through irc, mailing lists, forums, contributing patches, reporting bugs, etc. Such OSS participation is generally well-received. With nessus, not one of us who ever tried to participate in its "community" ever felt welcome in the least. To the contrary, every time we dipped our collective toe in nessus's pool, we came away with frostbite.
Renaud appears to have finally woken up to the legal ramifications of having put nessus under the GPL. Namely, he can't dictate what others can and can't do outside the confines of the license. If any of you are considering using nessus in the future, I highly recommend going through his license with a fine-tooth comb. When he sells out to SCO [so he can actually get his threats into the courts and the news], you will want to know how many of your vital organs, children, and relatives that they are going to go after.
I say, GOOD RIDDANCE NESSUS.
With stunts like this, would you trust Tenable to protect your network?
No.
As I've already mentioned, Renaud has never considered his project to be under the GPL. Oh sure, he knew it was under it, but flaming anyone and everyone that he suspected of "working at a company" or "using nessus for profit" or "doing anything that didn't meet Renaud's fancy" was not exactly uncommon.
The reason that there's not a serious community around nessus is Renaud.
From their indication that they haven't seen any significant help in six years, we can presume that the third possibility is unlikely
More like:
"Since Renaud tends to drive away potential contributors with legal threats, we can presume that significant contributions were successfully minimized."
I am $200k or more in debt and drive a 1989 CRX Si.
That pretty much explain everything. GPL does not work for everyone. They need to pay their bill.
As it happened, they kept giving and the competition kept taking. The community didn't give back.
Well, that's one spin on it.
As I've mentioned before, a more reasonable view is that any serious potential contributors were driven away by Renaud's flamingly stupid threats and other rants. It's what prevented the company I worked at from becoming a contributor or participating in the so-called "community."
So, if it does fork and the open source fork gets a lot of development that would mean of two things. Either the developer is understating the community involvement or he wasn't that good at drumming up interest in community involvement."
Or, more likely, maybe Renaud personally discouraged community involvement.
I mean, seriously, how many of YOU like to be flamed by a project's evil dictator for trying to participate in the community?
Open source demands higher quality by fostering innovation. What? It's out of control, we aren't innovative anymore! Lock it down boys! We'll deliver closed source solutions now, because some people are better at this than we are.
report_ng.c:1298: warning: cast to pointer from integer of different size
report_save.c: In function `file_save_ok_callback':
report_save.c:87: warning: cast from pointer to integer of different size
report_save.c:95: warning: cast from pointer to integer of different size
xml_output_ng.c: In function `xml_plugins_plugin':
xml_output_ng.c:402: warning: cast from pointer to integer of different size
monitor_dialog.c: In function `monitor_dialog_setup':
monitor_dialog.c:155: warning: cast to pointer from integer of different size
monitor_dialog.c:205: warning: cast to pointer from integer of different size
monitor_dialog.c: In function `monitor_list_update':
monitor_dialog.c:257: warning: cast from pointer to integer of different size
monitor_dialog.c:265: warning: cast to pointer from integer of different size
monitor_dialog.c: In function `monitor_stop_whole_test':
monitor_dialog.c:510: warning: cast from pointer to integer of different size
monitor_dialog.c:524: warning: cast from pointer to integer of different size
monitor_dialog.c:530: warning: cast from pointer to integer of different size
monitor_dialog.c: In function `monitor_input_callback':
monitor_dialog.c:572: warning: cast from pointer to integer of different size
monitor_dialog.c:601: warning: cast from pointer to integer of different size
monitor_dialog.c:603: warning: cast from pointer to integer of different size
monitor_dialog.c: In function `build_plugins_order_table':
monitor_dialog.c:658: warning: cast from pointer to integer of different size
monitor_dialog.c:664: warning: cast from pointer to integer of different size
prefs_dialog/prefs_dialog.c: In function `prefs_dialog_set_defaults':
prefs_dialog/prefs_dialog.c:505: warning: cast from pointer to integer of different size
prefs_dialog/prefs_dialog_scan_opt.c: In function `prefs_dialog_scan_opt':
prefs_dialog/prefs_dialog_scan_opt.c:247: warning: cast to pointer from integer of different size
prefs_dialog/prefs_dialog_scan_opt.c: In function `prefs_scanner_redraw':
prefs_dialog/prefs_dialog_scan_opt.c:326: warning: cast from pointer to integer of different size
prefs_dialog/prefs_dialog_scan_opt.c:329: warning: cast to pointer from integer of different size
prefs_dialog/prefs_dialog_plugins_prefs.c: In function `prefs_plugins_prefs_redraw':
prefs_dialog/prefs_dialog_plugins_prefs.c:280: warning: cast from pointer to integer of different size
prefs_dialog/prefs_dialog_plugins_prefs.c:281: warning: cast from pointer to integer of different size
prefs_dialog/prefs_dialog_plugins_prefs.c:287: warning: cast to pointer from integer of different size
prefs_dialog/prefs_dialog_plugins_prefs.c:288: warning: cast to pointer from integer of different size
prefs_dialog/prefs_plugins.c: In function `prefs_dialog_plugins':
prefs_dialog/prefs_plugins.c:356: warning: cast to pointer from integer of different size
prefs_dialog/prefs_plugins.c:357: warning: cast to pointer from integer of different size
prefs_dialog/prefs_plugins.c: In function `prefs_plugins_redraw':
prefs_dialog/prefs_plugins.c:531: warning: cast from pointer to integer of different size
prefs_dialog/prefs_plugins.c:534: warning: cast to pointer from integer of different size
prefs_dialog/prefs_target.c: In function `delete_session_cb':
prefs_dialog/prefs_target.c:70: warning: cast from pointer to integer of different size
prefs_dialog/prefs_target.c: In function `restore_session_cb':
prefs_dialog/prefs_target.c:114: warning: cast from pointer to integer of different size
prefs_dialog/prefs_kb.c: In function `pref_set':
prefs_dialog/prefs_kb.c:132: warning: cast from pointer to integer of different size
detached_index.c: In function `_stop_session':
detached_index.c:69: warning: cast from pointer to integer of different size
sslui.c: In function `sslui_paranoia_callback':
sslui.c:60: warning: cast from pointer to integer of different size
sslui.c:62: warning: cast to pointer from integer of differ
Uncheck this option to avoid killing (and eating) your sensitive network devices.
Unhappily, we are far from living in an ideal world. Where people has mortgages and so many other cumbersome, but also very real things to pay.
This is something that is overlooked by so many ponents of the open source ideal, due to many reasons, but that could be resumed in two cases: the youthful idealism of smart and talented people, that being young do not have to care about such mundane things as paying a loan, college tuitions and food for the family. And two, the voices of those that already get a living from their (in most cases) well earned reputations, or in the well occupied niches of open source enterprise, and so are defending their bread-earner.
I very much agree with those that believe that open source projects could be benefical for many, even for humanity as a whole. However, I also believe that good work deserves payment, and open source can, in my opinion, only be a money-earner for a very selected group of applications and services.
A freshman programmer that has only his talent for coding to attempt to earn a living, is going to have a hard time competing with those that have already created a niche. There are only so many business slots for enterprises as Red Hat.
Open source, in my opinion, should be for most cases and scenarios, viewed as something that is made for the fun and good-will related to it, but not for the prospect of getting money out of it. I am not saying that it is impossible, because that would be a downright lie, only that it is a harder path to take, if you are interested in getting money for your work.
This situation demonstrates exactly why the makers of Nessus were right. This whole history of non-contribution, followed by a "Fuck him for going closed source on us! Let's fork the last GPL release and contribute just to spite him!" response is disgusting! Where the fuck were you people while it was still GPL? Why didn't you care enough to contribute then? Why should anybody respect your ideals when this is how you choose to demonstrate them?
Check out my foes list to see who is so retarded that they can't use the signature line!!!
of course, i would not investigate your story, but i definitely would mod it up - just so that we get more opinion on this factor :)
/. modpoint strategies should be revised somehow. i would prefer 1modpoint/week that would not expire for a month. usually i either spend my modpoints in a furry so that they do not expire (and some time later see posts that i would like to mod up) or thei expire because i do not see a worthy underrated post for days :/
i think
Rich
Maybe they'll use that?
I really don't get it.
The company announces they are fine money-wise but will close it's next version's source to stop all the free-loaders/previous customers that make money from simply repackaging the source.
Therefore i currently can get the software from several distributors and if i need support i can choose between several service providers. Sounds good!
This is a really spiteful move. I decided to put my software under the GPL and now that the GPL is actually doing its work -- customers have more choice, more, distributors, more services available -- i note that choice is only good for the customers but bad for me! I earn money with my software and services but so do others, too, oh no. I lock it away. I lock my customers in. It's mine, mine! and you have no right to earn money using my hard work.
On the argument of "nobody's contributing, buhuu":
The argument that the other distributors are not adding code is none. Millions of people are not contributing code and still use, repackage or provide services for FOSS software. It's part of the model and often considered one of the strengths of FOSS.
Maybe nobody contributes because the the current Nessus is good enough (for my needs it is) or the contribution process is clumsy or difficult (i don't know). I guess, once the sources are closed the current version (2.2.5 i think) will be the focus of FOSS development, if there is any need.
it's good enough for me.
- The one, the only, AC.
QPL
I think many of us in the security community have always had the feeling that Tenable was less than forthcoming about their plans. I can remember many a security colleague mentioning things to me about the people behind Nessus. It was that sort of hushed tones, something is wrong kind of thing. Being the skeptic, I initially discounted those conversations.
Later on, Tenable started to make commercial only modifications. The truth started to come out.
Lets get this straight - the only reason why many of us chose Nessus was because it was Free & OSS. We could have just as easily chosen other tools to use instead. The commercial vulnerability scanners of the earlier era were far better at that time.
Now they want to change? Good luck.
I'm looking forward to whatever OSS tool takes the place of Nessus.
Oh and another thing too, on setting the record straight. Tenable might be the sole authors of the core scanning engine, but they definitely benefited *GREATLY* from external plugin authors.
The project didn't have major contribution because it miserably failed building a community around it.
Major external contributions would now stifle the possibility of a license change, and Tenable was founded after Nessus gained popularity.
No one except Renaud (and possibly a few others) is in the position to confirm or deny that this was intentional rather than occasional or simply miscalculated. But I believe anybody with a good sense that has been on the developer mailing list for a while can see the reasons for this.
I already said this time ago, when the licensing terms for the plugins were changed.
13-4=54/6
It is a great idea open source but it rarely works out. I am a software developer and what I see is that software developers are not always paid well. Yet the companies who use open source products can and do make hefty profits. So I would argue that what all developers should do is always charge hefty fees for whatever they code. Let's all unionise. Forget the squabbling between the wintel faction and the linux lovers. Let's join forces and screw big business. The work we do is complex, complicated and tiring. I am damned if I am going to do anything for free. From today we all charge 1000 USD per hour - non negotiable. This is a call to arms. Join me.
But that is the POINT of GPL - Free Love, and all which goes along with that (sex, drugs, source code). Isn't it the POINT of GPL for others to use? So what if the "competition" [sic] uses the same source -- that is the whole idea!
"Competition" [sic] since if you give away your source code, you agree that you have no competitive interests.
(that preview was way too fast)
If you release a commercial product as GPL OSS - which I have done - you have to be ready to go with it hook sinker and all. Which the Nessus people obviously weren't.
...) and so forth.
Going OSS with a working closed source product can but only have ONE SINGLE commercial benefit: As a marketing ploy. That's the simple truth.
If you have a finished piece of Software and you want it to soar by going GPL, you'll have to be ready to play the informal and emotional turnpike for all that's involved. That works well by tying the product to a single person who built it and maintains it (Kaspar Skarhoj -> Typo3, Linus Torwalds->Linux Kernel,
Nobody has interest in forking Typo3, because nobody can move as much as Kasper when it comes to T3. He know's what's going on. He's the emporer and the T3 people are his minions. He serves them and thus they are ready to follow him. If Kasper would start getting pissy with all people involved, they would be off on their own very fast. PHPNuke went that way. The creator didn't make the transition from mere programmer to community leader/maintainer. He was sad that no one paid him for what he'd done and started withdrawing from the unwritten deal. And so Nuke was forked something like 10 million times and eventually died the death of Über-forkage. It's not the top PHP CMS anymore.
Bottom line:
GPLing stuff only makes sense as a business, if you are willing to move along in the evolution of the product. Nessus could do huge moves with a GPLd version. Even I know the name, allthough I'm not a security guy. That they withdraw all mixed up because competition is using their stuff only shows that they don't understand. From the GPL point of view, that others are using Nessus is an advantage, not a downside.
We suffer more in our imagination than in reality. - Seneca
using the GPL as it was intended, to prevent vendor lock-in
That's one of the good part of the GPL (it has many), as intended. But it also has unintended consequences which are bad.
Where in the GPL does it say "Code re-marketers will make higher profits than developers"? Nowhere. Yet, there is a cost associated with developing a package, but people who merely copy and market a GPL package bear none of that cost. Consequently, the GPL favors pure marketting companies at the expense of developers who also try to market their product. The developers will always lose out, simply because they have higher costs.
In order to be fair to developers, the GPL would need to carry an additional clause which stated: "The GPL is not concerned with marketting, but respects any marketting conditions required by the author(s) of the software as long as such conditions are compatible with the GPL. THIS LICENSE IS VOID IF SUCH CONDITIONS ARE NOT MET."
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
1) wouldn't this leave the door wide open for litigous bastards like scox?
2) what about those who contributed in ways other than providing code? For example: I provide a lot of valuable testing and feedback because I *think* I am contributing to an open source project. Then the project pulls a 180 degree turn, and tells me: "HA HA your efforts have only severed to make us $$." Doesn't seem fair, and doesn't make me want to contribute to other projects.
Good to hear from a source of authority on the subject. Security scanners aren't my thing, so other than the basic licensing issues, I don't know the qualitative difference between Sourcefire and Nessus. However, if the Debian maintainer (ehem) is less than enthusiastic about Nessus, that's a pretty strong statement about the future prognosis of "Gnessus".
HAHA Hooray open source!
Now, fork Nessus, put it on Sourceforge, and work on it once every 3 years, then fail.
If you are the source of all wisdom then it is very simple: stop creating the code. Your competitors would come to you begging you to fix things.
Obviously the competitors are good enough to support the base code, so maybe the original company is not as good as they would like to think...
IANAL but write like a drunk one.
That's just what he did. However people here seem to be pissy about it.
Can't have your cake and eat it too.