Slashdot Mirror
Nessus Closes Source
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.
I agree, though, they could have written a license that gave other companies the right to reuse the code for non-commercial uses only, and that would have been a better compromise.
Or rather, using the GPL as it was intended, to prevent vendor lock-in.
From their indication that they haven't seen any significant help in six years, we can presume that the third possibility is unlikely.
And, of course, old versions will still remain under the GPL (happily).
Throw the bums out!
They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.
That's actually not true at all. They still own the code, the GPL is a license, not relinquishing ownership. What they can't do is use any code contributed by anyone outside the company. That code they'll have to re-write since it's licensed under the GPL and doesn't belong to them.
And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.
They can't relinquish the license of course. Anyone that wants to take that code and maintain it themselves is obviously free to do so.
AccountKiller
Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)
-- Sig down
Choice 1) Pay (a likely non-existent) legal team huge amounts of cash to come up with a new license that is legally sound in all of the respects that need to be accounted for in their position.
Choice 2) Close source code.
Seems to make sense to me...
The FSF says nothing about the GPL and community giveback. It says only that the GPL exists to give users freedoms to use and modify software. Indeed, "The freedom to use a program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job, and without being required to communicate subsequently with the developer or any other specific entity." (emphasis mine)
Penny - plain text accounting
I agree - in principle - but principle doesn't put food in your mouth or pay the rent.
These guys did a wonderful job. Six years contributing to software that was obviously so good that other people could make money off it. Its one thing to work on an open source project in your spare time, or to be employed by one of the few companies that can leverage free software to make money, but these guys aren't. So unless you are working on the kernel, on samba or one of maybe a dozen other projects, you can't give up your day job.
Maybe by closing the source, one of their competitors will buy them out and they will have enough money to live on and write open source code. Rather than berating these guys for leaving the fold, thank them profusely for the six years of hard work.
If you don't like it, fork it. Once GPLed, always GPLed, and only V3 and above is going closed.
Norman Cook's Ode to Sl
"So, if it does fork and the open source fork gets a lot of development that would mean of two things. Either the developer is understating the community involvement or he wasn't that good at drumming up interest in community involvement."
A developer who wants community involvement really has a lot going against him. There are only a handful of Linuxes, Mozillas, and KDEs, out of the hundreds of thousands of OSS projects out there. Probably only a single-digit percentage of OSS projects get any significant community help. To get in that percentile, you have to have an interesting, high-profile project AND be VERY good at drumming up support.
Properly stated, there's a third possible interpretation of a successful fork: the maintainers were doing a fine and dandy job and no one from the community had an itch to scratch, until the gravy train stopped.
one hundred twenty
is just enough characters
to write a haiku
I know at least one group of experienced open source programmers that is preparing to announce a new open source vulnerability scanner project or Nessus fork. It would be encouraging for such a fork to succeed.
Fyodor, what can those of us out here do to help make that a possibility? One of my common frustrations is that much of the open source community thinks at a very low level and rejects broader perspectives because the initiators of the projects are often exceptional programmers (at the expense of not being exceptional documentation writers, analysts, managers, communicators, etc.). Some will want to shoot me for saying it, but every technology project needs a hell of a lot more than software developers to make it go. A project needs the help of great documentation writers, testers, managers, analysts, evangelists, etc. to make it, and more importantly, needs to have a culture of taking criticism and evaluating it objectively in order to have a chance at success.
Nessus's rejection of a system vulnerability database was unfortunate but not unexpected - I smell a VC in a room with a bunch of programmers (and nothing in between), plus a bunch of sensitive "Not Invented Here" egos. Nessus needed to integrate with its user community because its success was very dependent upon their feedback. Nmap has succeeded perhaps because it is a more concise tool with a focused objective and I've seen you take feedback out there and honestly respond to it.
I agree that this is not a good trend, and the question is how to reverse it.
Success in the open source community is still a rather unpredictable, undocumented (and too often, unrepeatable) event. Successful projects like nmap have happened through their founder's exceptional ability in demonstrating more than just coding ability, yet the community does little to document, educate and communicate this aspect. Projects tend to continue to make the same mistakes. Perhaps a start would be a FAQ on successful open source project methodologies that explains that brilliant code is only one of a dozen components required for success and details the others - perhaps building upon the best practices of the community's successful projects? If Nessus and others are to make it as viable open source, we need to build upon the understanding that it takes more than great code to succeed.
*scoove*
Is it just me, or is this bafflingly ambiguous? I'm sure if I read the whole thing it would be clear, but I have no idea what that sentence is trying to say. I'll just stick with BSD for now.
LOAD "SIG",8,1