Nessus 3.0 discussed

An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."

GPL resistance?

[dada21]

What is the primarily reason that corporate policy precludes using GPL'd software? I thought the friction was reduced in the most recent GPL version. Is this being addressed in the next GPL?

I know some consider it broke, but Nessus is fairly popular, and the GPL resistance seems a key reason for going closed source.

Re:GPL resistance?

[dada21]

But are most users incorporating Nessus code or are they using Nessus as a standalone product?

I'd assume utilizing GPL'd software in a standalone fashion should have no bearing on your output, right?

Re:GPL resistance?

[fpu]

Fyodor (author of NMAP) posted about Nessus going closed source in the nmap-hackers mailing list some weeks ago. It seems that Teenable's main point is not GPL-resistance from the enterprise customers, but rather the fact that there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors. I, for one, can see their point, even if I am a strong advocate of free software (free as in FSF, not OSF).

However, as has already been stated, that does not mean this is the end of free Nessus -- it will still be free, except we no longer will be able to look under the hood. Since many of us automate Nessus directly through the command line client and parsing of NBE files, I believe that this will impact very little even power users.

Re:GPL resistance?

[Kjella]

Because the GPL is virial is nature. If one of your developers links the sourcecode of your flagship product with a GPLed library, your flagship product now must be released under the GPL... It may sound like FUD, but it's also true...

My, what a classic troll. Almost antique. Distributing without a valid license could lead to civil and criminal penalties, but never to forced release of code. Complying with the license afterwards would have no influence on your legal liability. The developers may offer to drop the lawsuit in return for complying instead of suing for $150,000 / incident, like the RIAA/MPAA. In other words, OSS developers are typically extremely forgiving compared to other copyright holders.

Re:GPL resistance?

[Master+of+Transhuman]

"there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors"

First, the two points are independent.

And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project? That's irrelevant to anything. Naturally, due to the nature of the concept of OSS, it would be BETTER if a community of developers appears and supports the project - that's the advantage of OSS over proprietary. But it's not a requirement per se. In fact, however, it usually indicates that there is a REASON for this - which might be how the project is run, the technical difficulty of the project, the niche market for the project, or any number of things - some of which might be solvable, some may not.

The second point is just a refutation of the concept of OSS: instead of trying to make money from support or other business models using OSS, just dump the concept and go back to being proprietary. It's NOT A REASON, it's a CHOICE!

And again, it goes back to the what and how of the project. Does Linus complain that Sun uses Linux while producing OpenSolaris - arguably a "competitor"? Granted, Linus doesn't view himself as a "competitor" in business against Sun - he's simply a developer who wants to advance the state of the art in OS building.

The problem is, the Nessus guy does view himself as a competitor in a closed market. He wants to use Nessus to produce other security software and sell it. He views everybody else who uses Nessus to produce other security software to sell as "competitors". Well, they are - if that's your business model.

It's an issue of perception, however, not necessarily reality. It's also an issue of whether you feel you can BE competitive on a level playing field - obviously this guy doesn't.

That doesn't make his choice the right one - it's just his choice. I think it will cost him in the future.

Open source doesn't mean you don't have competitors. Every project stands or falls on its merits in the marketplace of ideas. That's why we have something like a thousand Linux distros - most of which are utterly irrelevant to most users and utterly irrelevant to the position of Linux in the marketplace of users.

And open source as a SOURCE of business models is not different. The question is whether you can develop a business model that allows you to make money - or even get "rich" (whatever "rich" means to you), if you're smart enough - and that's really not relevant to open source as a development model.

Some people deride open source as a bunch of geeks working for free while somebody else gets rich off their efforts. While this may in fact happen on occasion, it isn't a direct consequence of the OSS development model.
The only place where it might be an issue is in developing something that can be seized on by a company like Microsoft which ALREADY has an monopoly position due to its closed source model and its business practices and then turned against the OSS developer. The GPL was intended to prevent this by disallowing the incorporation of OSS software into a proprietary product and closing off access to the source.

But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product. The OSS COMMUNITY says that you SHOULD return value to the original OSS product. But that doesn't always happen, nor should it always happen.

If you develop an OSS product, and try to make a business out of it, you should be smart enough to assume that other people will take your product and try to develop a business around it as well - and conduct yourself accordingly. If you believe in the OSS model, you can find ways to continue to develop using that model and still compete effectively.

The Nessus guy just doesn't believe in the OSS model, it's that simple.

Re:GPL resistance?

[rxmd]

And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project?

I guess the project developer certainly does.

But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product.

If I understand correctly, the competition wasn't exactly from competing OSS projects, rather from companies providing services around the system that he built. In effect, he had a hard time competing with them, because he had to develop the software, while his competitors in the service arena just used the software he developed. As far as I can see, this is a perfectly legitimate point.

The Nessus guy just doesn't believe in the OSS model, it's that simple.

You could also put it that way: he tried the "OSS model", it cost him while providing zero benefit, so he drops it again.

Open source really should be a two-way street. If the community only takes your work to profit from it and provides very little in return, there's no incentive for a developer to do open-source work.

Re:GPL resistance?

[Master+of+Transhuman]

While I agree that OSS should be a two-way street, it doesn't require EVERYBODY using an OSS product to contribute to the project.

The idea that all users should be developers is nonsense. "Contributors", perhaps - "Here's a feature we'd like you to provide" - but even there, some people may use a product and be perfectly happy with what it does and not need anything else.

You can't say they can't use it just because they don't contribute to the project. That's just making a contract law substitution for a monopoly - "You can't use this unless we benefit directly." How is that different from the RIAA and MPAA wanting to license every possible meaning of fair use to produce revenue?

It's normal that humans do this - no human can possibly allow any other human to somehow profit from the first one's actions. It's just not human nature. But it's not rational and it doesn't work to the benefit of the species as a whole, and thus it doesn't work to the benefit of most individuals, due to the economic effects.

As for people developing services around the product that compete with the developer's own services, this is, as I pointed out, irrelevant to the OSS model. It's the BUSINESS model that matters here, not the development model. So he closes the source? So what? Just because he speeds up Nessus by a factor of five, does he think no one else will? If somebody forks version 2 and speeds it up by 5, his competitors can use that version to continue to compete with him. It's totally irrelevant whether the source is closed or not in that regard.

The OSS model did NOT "cost him" - his business model - or lack of one - is what cost him.

Re:GPL resistance?

[Tony+Hoyle]

Not really, what he said *is* true.

If your application links with *any* gpl code it cannot be distributed without making the whole application GPL. That's the reason for corporate policies against using GPL software - the risk is too great.

'complying with the license afterwards' == 'release your software as GPL'. Not acceptable - and most companies would *prefer* to pay $150,000 per incident than do that.

Re:GPL resistance?

[LurkerXXX]

So he closes the source? So what? Just because he speeds up Nessus by a factor of five, does he think no one else will? If somebody forks version 2 and speeds it up by 5, his competitors can use that version to continue to compete with him. It's totally irrelevant whether the source is closed or not in that regard.

It certainly is relevant. Now his competitors have to put in the effort to try to figure out how to speed it up by 5 and spend a LOT of their time coding. That puts it on a much more even level than him doing all the work for them.

OSS *IS* the problem with his previous business model.

Re:GPL resistance?

[m0rph3us0]

what if I link to MS code with out a license? same thing. except getting sued into oblivion. instead of having to rewrite some GPL code.

Re:GPL resistance?

[JDizzy]

When a developer goes OSS, one of the common motivations is to foster the creation of a community around the project, and I'd say lifting the development burden is secondary while a very nice side effect. So when the community doesn't materialize, or meet the expectations of the principle creator, then it is full justifiable to an alternative project model take shape.

Not to seem rude, but you write like a self-serving ego centric user, and we developers don't have to please you. You are the lowest form of life in the cycle. If you were to contribute to the project, instead of expecting it to roll forward without any contributions, then you pretty much have no voice. This is kinda like bitching about politics and not registering to vote.

Rationalizing the move from OSS to closed source in terms of what is good for the species scares me. Please stop thinking in such absolute terms, and besides you wrong anyways.

Good day,
-J

Re:GPL resistance?

[_Sprocket_]

Not really, what he said *is* true.

Feel free to point out any time that this has been the case. There have already been numerous discoveries of GPL violations. These situations have either lead to the removal of GPL'd code, or more likely, proper publishing of code in compliance with the GPL. I have not seen a single case where any code has been involuntarily released under a GPL license. Granted - the distinction is very slight. But the offender has always had the option. And I would suppose the underlying decission is whether it would cost more to replace GPL code or comply with the license. And even releasing code is not handing over a product. Go download GPL code from Tivo and see how close you are to a knock-off product.

The point is that the GPL is not public domain. And it would seem that some individuals either genuinely or willfully lack this understanding. These indivudals put their employers at the same risk as they would ignoring any other license - including common proprietary licenses. No more, no less... not that this is a minor issue.

One final point - dealing with GPL code is certainly doable. There are plenty of corporate entities simply using GPL code without consequence. Developing with GPL code requires the aforementioned understanding of the GPL. But it's not hard to work with. Again - ask entities like Tivo.

Re:GPL resistance?

[Kjella]

Not really, what he said *is* true.

If your application links with *any* gpl code it cannot be distributed without making the whole application GPL. That's the reason for corporate policies against using GPL software - the risk is too great.

No, it is still bullshit. If you intentionally include GPL'd code, naturally you have to abide by the GPL. Complying with the GPL or choosing not to use GPL'd code are both perfectly acceptable corporate policies, so I don't understand where you get risk from. Unless you mean the risk of illegally using GPL code in a closed source application, which is their criminal behavior and not a problem with the GPL. Naturally there is always the risk of developers using unlicensed code, but that is identical to all other code licensed from third parties and not specific to the GPL. You run into the exact same trouble if your developers use a library licensed for one product in another product.

'complying with the license afterwards' == 'release your software as GPL'. Not acceptable - and most companies would *prefer* to pay $150,000 per incident than do that.

Let us presume that GPL code has unintentionally (from the company's point of view) been included in a product. Under no, I repeat no circumstances can a company be forced to release their software as GPL. In itself, complying with the license means nothing. The only time it matter is if it is part of a settlement with the copyright holders. Neither side needs to offer nor accept a settlement. The only penalty that can be forced on a company are the penalties set in copyright law, and are entirely identical whether or not the license is GPL.

The original post is trying to spread a lot of FUD which claims that GPL code is viral and different from any other code. That is complete bullshit. GPL code is licensed on specific terms, and if you fail to comply or use it outside the scope of the license there are penalties like with other third-party code. All it means is that GPL code must be treated like commercially licensed code, not "do whatever we want with" code like BSD licensed code. The only thing the original post does is to take a generous way out and present it as some extra nasty catch with the GPL.

Re:GPL resistance?

[Master+of+Transhuman]

Not necessarily. His competitors in the SUPPORT business don't need to do anything. They can just wait for another set of OSS developers to fork the project, build in the speed improvement (you think they can't figure out how to do that from the existing code - or by reverse-engineering the new binary?), and then the support competitors can go right back to competing with him again on a level playing field.

The worst that can happen to his support competitors is that they lose market share by having to wait for the fork and speed increases to be developed. I doubt they'll have to wait long...

So again, he's blamed the wrong thing for his failure to compete. The OSS code is not the problem - it's his execution of his support business model that is the problem. And by blaming the wrong thing for his failure, he guarantees that he will continue to fail.

Worse, he's cut his own throat. Now instead of having people utilizing HIS product - and thus maintaining some contact with and even control over the competition - he has forced others to either fork his product or come up with even better products which he will have NO control over - and which his support competitors can use to even greater advantage.

Dumb, very dumb.

Re:GPL resistance?

[Master+of+Transhuman]

I said nothing about "expecting to roll forward without any contributions". I said it is not required for everybody who is a user to be a contributor, nor is it required that a community develop to BE an OSS project.

And where did I ever mention moving to closed source as better for the species than OSS?

Are you sure you're responding to the right post? If not, get a clue.

Re:GPL resistance?

[LurkerXXX]

Your making a big assumption that another set of OSS developers WILL fork the project and continue development of it. Sourceforge is littered with dead projects that the original creators have stopped working on, and no one else had touched the code. FOR YEARS!

Even if some OSS deveopers do pick it up. Your making another huge assumption that they will be as good of coders as the original developer, and work on it as hard as someone who's trying to base his living on it.

His failure to compete is because he has to do two things, develop the code AND support it, while his competitors only have to do one thing. Support it.

I dont' think he's cut his own throat at all. He's proven that his program is a very real asset. Lots of folks use it. He's also shown that there is no one out there who's totally committed to improving it, because he hasn't received any help from other OSS developers. Looks like he's sitting pretty to me.

When no one else is helping out and your competitors are living off your work, doing what he did is absolutely the smartest thing he could do.

Re:GPL resistance?

[Master+of+Transhuman]

"His failure to compete is because he has to do two things, develop the code AND support it, while his competitors only have to do one thing. Support it."

How is this different from any other closed source company? They have to develop and support, too, and their competitors in the SUPPORT business only have to support.

Entire classes of VARs exist that do just that.

And saying "support" means customization of the code, as some people here have said, is just a red herring. It doesn't. It merely means you known the software well enough to use it properly and guide clients in its proper use.

Not to say that customization of the code isn't a valuable service that only the developer of a closed source product can do. But then, the developer of an open source service can do it, too, and indeed this actually is one of the means the developer can enhance his product - by adding code extensions requested by support clients. The fact that other support competitors can do it, too, isn't significantly different. In fact, since those enhancements are also under the GPL, the original developer can take them into his product just as easily. So in reality, any of his support competitors who modify the code are in fact contributing to his product (assuming he has some access to that code, which obviously is not always the case. But that's an issue for the competitor's clients, too, because now they have a fork in essence.)

We'll see what the results are. If Nessus is that valuable, as you say (and I believe it is), and if in fact, as someone here said, that the problem was that enhancements were actually rejected by Tenable, then I expect it WILL be forked and he'll end up with MORE competitors, not less.

And that will prove my point.

Of course, it will also prove that the OSS model works - because consumers will now have a choice between Tenable's version and the new fork. And that's the proper result of competition.

Hold your horses

[xfletch]

Before the open source hordes come rampaging it is worth noting that Nessus is still free.

Nessus 3 will be free of charge for end users or service providers or consultants to do whatever they want with it, except put it into a product or re-brand it as their own software.

They are looking to make money on their support of the product, which is a well astablished model.

Re:Hold your horses

[Kjella]

They are looking to make money on their support of the product, which is a well astablished model.

And fully possible without closing the source. The name can be protected by trademark, and people will rather have the developers supporting it than someone else. Besides, there is no reason to assume it will continue to be free. Basicly, it's no longer an OSS project, it's freeware given away by a business. Been there, in general rarely been happy with it. Expect NessusPlus for $$$ soon.

Re:Hold your horses

[canuck57]

They are looking to make money on their support of the product, which is a well astablished model.

Although still free many will choose not to run the newer version without the source. The reason is simple, security. With the source code being open it can be reviewed. First, the contribututor and then the approver and if needed, by yourself.

Re:Hold your horses

[Master+of+Transhuman]

At the moment, I'm not saying that's not a good thing. It's good that the new version of Nessus will still be free (albeit with restrictions.) And of course there's nothing wrong with charging for support - that's not even an issue here.

I'm just saying the guy doesn't accept the OSS model anymore.

That's fine, but his reasons aren't reasons - they're either irrelevant or simply a refutation of the OSS model per se.

Re:Hold your horses

[paranode]

Yeah but they closed the source because competitors were getting all of the fruits of their development for absolutely nothing. Once you move out of the 'useful little app' phase and into something that people are seriously interested in for the large scale, it's time to reconsider giving your product away for free so somebody else can make money off of it. Most people would call this success though I guess the grumpy OSS zealots hate to see 'free' software developers actually get paid for their work.

Re:Hold your horses

[Sancho]

As I understand it, the company was getting no return on the GPL investment. That is, they weren't receiving many, if any, patches from their users. And what's worse, their competitors were taking their ideas and innovations and using them in their own products.

I like having the source available to me, but some people aren't in it for the humanitarian aspect. The owners saw no benefit for releasing the code under the GPL and were having some detremints, so they stopped.

Re:Hold your horses

If I can't compile it, I'm not interested.

Re:Hold your horses

[CliffH]

And what would be so wrong with NessusPlus for $$$? It is a company. They DO have to pay the bills. There were getting VERY LITTLE outside help from other developers. I say go for it. It is and has been an excellent product and I'm sure we'll get nothing less on the quality side in the future, be it free or for money. I for one would buy their product if they decided to sell a Plus version and would still use their free version as well just to give them a bit more support. I'm a LOUSY programmer for the most part so I have had no way of helping them through code but I'm sure there are plenty of decent coders out there that could have helped, have used their product, and either didn't bother or were going to get around to it eventually. We have ourselves to blame if we think this is some kind of punishment (which it isn't).

Ok, I'm done with my rant. I guess the only thing left to say is to keep your chins up and keep up the excellent work and their are plenty of people out there whom do and will continue to support you, even if it does go to a pure commercial product (which no one has said that it will).

Re:Hold your horses

[Kjella]

Yeah but they closed the source because competitors were getting all of the fruits of their development for absolutely nothing. Once you move out of the 'useful little app' phase and into something that people are seriously interested in for the large scale, it's time to reconsider giving your product away for free so somebody else can make money off of it. Most people would call this success though I guess the grumpy OSS zealots hate to see 'free' software developers actually get paid for their work.

No, it is simply a recognition that OSS project goals (make the best possible product for free) tend to align better with my goals than commercial company goals (extract as much profit as possible, create upgrade "incentives"). Closing the source is an obvious step on this transition. By all means, let them compete on a commercial basis, next to OSS the best thing I know is working and active competition. But they are no longer OSS software developers, so I will treat them like any other commercial offering. And that is actually quite different from OSS projects, which I consider to be people scratching the same itch. I consider OSS projects to be on "my" side, the customer side, in something like a co-op. Closed source projects are on "their" side, the supplier side, and are generally those you haggle with to get a fair deal. If you've ever been involved in negotiations, you will know that makes a world of diffrerence.

Re:Hold your horses

[TuringTest]

As I understand it, the company was getting no return on the GPL investment. That is, they weren't receiving many, if any, patches from their users.
There are other ways of getting return of being GPL other than having patches. I'm sure that a lot, if not all of its popularity was due to Nessus being a good GPL project.

Now that it has dropped the GPL part, I predict it will lose a lot of popularity too.

More info links

[lampiaio]

Wikipedia entry
Official Website

sorry, bad karma makes people do this kind of post...
:(

Re:More info links

[sploxx]

sorry, bad karma makes people do this kind of post... :(

Eh? Demanding sympathetic modders?!

Is this the newest trick after

"I'll probably get modded down for this"

and

"Don't mod me up"?

I doubt that this will work :-)

Re:More info links

[HeliumHigh]

Whoah, watch it! Hes a desperate man, just trying to save face!

stupid karma whore

Re:More info links

[paranode]

Also known as karma martyrs. Though I'm not sure if the OP realizes by inserting that jab at himself he got funny mod points which don't increase your karma!

Re:More info links

my next 5 mod points will be just for you. enjoy those overrated!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Seems simple enough...

You own the project. You can decide whether it's open source or not.

However, some questions:

1. Can someone more familiar with the licensing process elaborate on the pandora's box here?

Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your hands and goes into the archive... Imagine: "All your work becomes property of our CVS tree and cannot be returned if the tree becomes closed."

2. Why wouldn't they just keep the CVS tree accessible by main developers and give only those important people commit access?

Like pretty much any large project (*BSD, Linux kernel) does? Yep, I know -- they make it so those without such access cannot check out code just to see if they want to be part of the project in the first place. But could they be convinced if enough people show interest? I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.

3. How long until we see OpenNessus or (insert clever derivative name here)?

Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.

Just curious.

Re:Seems simple enough...

[iggy_mon]

http://it.slashdot.org/article.pl?sid=05/10/06/185 3248&from=rss

"you are a code contributor who in **good faith** contributed a patch or entire modules"
br it seems that there were not many contributions by the OSS community anyways. they've been GPL for SIX years w/ little support from those who know how to program. shame on us, i guess. --iggy

Re:Seems simple enough...

[eht]

1. Many open source projects require you to transfer copyright of any submitted code to them, not to sublicense it to them under your choice of code.

MySQL for example will license you their source in either GPL or non-GPL varieties so that you can incorporate it into your software to resell and not provide a license, they can dual license because they own all the code, they could not dual license if someone had submitted code under the GPL to them.

They also seem to have not had very many people contribute back to them.

2. They can't close up the GPL'd source any more than you can because they've already released it, but now future improvements won't be released to the public.

3. In about as long as it takes for someone to register a domain and post the code. Whether or not it will be developed much is really the question.

One of the problems the Nessus team faced is that they would sell support, but because the project is open source and available to anyone, anyone else could also sell support, or make their own improvements and rent out "Nessus servers", this is one of the holes hoped to be "closed" by the next version of the GPL, but we'll see.

Re:Seems simple enough...

[penguin-collective]

Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it?

If the project is (L)GPL and you contributed under the GPL, they can't close the source.

If the project is, say, MIT, X11, or BSD licensed, and you contributed under one of those licenses, then they can.

I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.

There is no problem; a project like Nessus shouldn't need more than a handful of developers. However, a large user community is still useful: they act as testers and generators of ideas.

How long until we see OpenNessus or (insert clever derivative name here)?

I would guess fairly soon. Personally, I'd like to see a rewrite, though, and a better UI.

Re:Seems simple enough...

[Master+of+Transhuman]

I don't see how the next version of the GPL can "close" that "hole". And if it does, we're likely to see more proliferation of licenses than we have to date.

The idea that providing support for an OSS project independently of the project is against the OSS concept is just nonsense. The GPL is intended to insure access to source code and prevent that source code from being appropriated by proprietary companies and closed. Nothing more. It says nothing and should say nothing about how money is made around OSS. While I assume Stallman would like to see everything "free as in beer", the GPL has recognized from the start that it isn't likely to happen and has never required a restriction on making money from OSS.

I CAN see using trademark law (or the equivalent license terms under a new GPL license - which would be better) to prevent someone from taking an OSS project and using the NAME to brand your own (possibly incompatible or even totally different) version. After all, that's what Linus is doing with the Linux trademark (and others are doing with other OSS projects.) The purpose of trademark law is to prevent consumers from being misled about a product and to prevent fraudulent representation of a product - both laudable goals in the marketplace and appropriate in the OSS model.

The problem will be how to specify in a license the conditions that establish that including an OSS product in your product and then using the name of that product is IN FACT being used to misrepresent your product. I'd say that's a tough one to construct. That's where legal proceedings or arbitration come in, usually - establishing the facts of a situation.

We don't want to err on the side of preventing people from incorporating an OSS product in their product - one advantage of OSS is to produce useful products that can be built on to produce more useful products. We don't want to thow the baby out with the bathwater because some people prefer to take an easy way out in building their business model around an OSS product, to the detriment of the original OSS product or its developer.

Re:Seems simple enough...

[magsilva]

> Imagine that you are a code contributor who in **good faith** > contributed a patch or entire modules under the assumption that such > contributions were going to be under that open source license. Now > that the company pulls the source and closes it down, does that mean > they took your work and will use it for their closed source purposes > without your consent? Absolutely not. If you contributed a whole module or file, you own the copyright for it (unless you transfered the copyright to the copy). So, if they want to change the license they must: 1) Make up your mind so you change the license of your contribution. 2) Remove your contribution from the product. > 3. How long until we see OpenNessus or (insert clever derivative > name here)? IIRC, in the same week they announced that Nessus would be turned in closed source, someone else created a fork.

Re:Seems simple enough...

[magsilva]

> Imagine that you are a code contributor who in **good faith**
> contributed a patch or entire modules under the assumption that such
> contributions were going to be under that open source license. Now
> that the company pulls the source and closes it down, does that mean
> they took your work and will use it for their closed source purposes
> without your consent?

Absolutely not. If you contributed a whole module or file, you own the copyright for it (unless you transfered the copyright to the copy). So, if they want to change the license they must (1) make up your mind so you change the license of your contribution or (2) Remove your contribution from the product.

> 3. How long until we see OpenNessus or (insert clever derivative
> name here)?

IIRC, in the same week they announced that Nessus would be turned in closed source, someone else created a fork.

Re:Seems simple enough...

[m50d]

Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your hands and goes into the archive... Imagine: "All your work becomes property of our CVS tree and cannot be returned if the tree becomes closed."

Depends on the license. Some things, such as the linux kernel, just want you to license it under GPL to them, in which case they're going to have to write a replacement for your part. But other projects require you to assign copyright to them - mysql and qt do this so they can release closed-source versions, but also e.g. the FSF requires assigning copyright so they can enforce violations better. I imagine Nessus required assigning copyright, otherwise a license change like this would be impractical. But then again, the reason for this is apparently that they were getting very few code contributions, so maybe the author has just rewritten everything that was contributed.

Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.

It's happened already. http://sf.net/projects/segusius

Re:Seems simple enough...

[allan_q]

If the project is (L)GPL and you contributed under the GPL, they can't close the source.

Unless all contributors agree to re-license their work. IANAL, but I think this allows future versions to be closed.

Re:Seems simple enough...

Two forks are mentioned on wikipedia:
OpenVAS
Porz-Wahn

Re:Seems simple enough...

[Tony+Hoyle]

If there are *any* then they have to contact the authors and get permission or remove the code.

Even if it's a single line if it's contributed under GPL it remains GPL unless the original author decides to relicense it (although it'd be difficult to prove a single line GPL violation in court, and most wouldn't bother).

Changing OSS project licenses is a difficult job, and for some projects may not even be possible short of a complete rewrite.

Re:Seems simple enough...

http://www.openvas.org/doku.php

Re:Seems simple enough...

[penguin-collective]

Yes, if all copyright holders agree, then they can alter the license. But the question was from someone who presumably didn't want to agree to such a change.

Incidentally, that discussion thread points out the reason Nessus has so few open source contributions in it: when people have submitted plug-ins, Tenable has usually just rewritten them themselves in order to be able to control the plugins and support their subscription-based business. For them to complain that there is very little open source software in their code is disingenuous.

This only goes to show...

[TechnoGuyRob]

...that as technology grows more and more sophisticated, companies will start outsourcing more and more. It used to be affordable to hire a guy or two as permanent company staff to manage your website or network servers. But now you need to ask an entire different company to provide you the services necessary for network administration.

Hopefully, Nessus 3 will also solve some of the problems Nessus has been having. According to Wikipedia, "some of Nessus's vulnerability tests can cause vulnerable services or operating systems to crash." For those who are wondering, Nessus scans vulnerabilities mostly on the application and network layer. Usually it port scans open ports for vulnerabilities, and looks for various network problems such as computers on promiscuous mode, etc.

For any of you network admins out there, a friend of mine has a medium business LAN and has been using Nessus, and it's working very smoothly for him; however, I recommend looking more into it before making any quick decisions based on Slashdot articles.

Re:This only goes to show...

[SpectralDesign]

Okay, so I didn't read TFWikpediaA, but I've used Nessus lots, and never had it create a DoS or system crash... as you configure it it makes it quite clear that certain tests can cause these problems and you have to be extremely explicit in your configuration of a pen-test to enable those modules... It's important that they be there so that you can setup a sandbox and really try to knock the lights out of your servers, but if someone runs these same modules on a production box with vulnerabilities they kindof deserve what they get, no?

Actually, I decided to read TFWA before posting anyway, and it clearly states:

Some of Nessus's vulnerability tests can cause vulnerable services or operating systems to crash. The user is provided with the option to disable these "unsafe tests."

So there you have it... it'd be a bad idea, imho, to remove said modules, because they are valuable to some people in some circumstances, and if you're simply not paying attention and enable them carelessly maybe you'll learn from your mistake when your network goes up in smoke!

Re:This only goes to show...

[redmoss]

If there are Nessus tests that can cause a service or OS to crash, then that service or OS has an urgent security vulnerability that needs to be fixed. I wonder whether these vulnerabilities have been posted to Bugtraq and the like? Or maybe they are widely known, but the companies who produce the vulnerable product never fix it?

Re:This only goes to show...

Nice troll. Start with a little bit of techie biz. Hit Wikipedia, scan for some basic facts and toss those in the middle (include links to leverage your "hard" work and provide some appearance of information). Then sandwitch it with some "advice" and a little dig at Slashdot. All fluff.... but it sounds good. Subtle - but effective. Congratulations.

even though it's still free

[know1]

the sad thing about closed source is there is no way to tell what info is being sent back to the manufacturer, a la microsoft.

Re:even though it's still free

[Cheapy]

The sad thing about open source in this case is that people were just using it and not contributing back. Maybe if some people pledged to contribute if the source was released, things could change.

Re:even though it's still free

[kailoran]

Well, you can always sniff if there's *any* info being sent back at all - and if there's none, you're fairly safe. And to be honest, it would be really silly if Nessus tried to phone home with anything (silly as in the company shooting its own foot).

Re:even though it's still free

[bamf]

If you are experienced enough to run something like Nessus, then you can also run Ethereal or similar and watch the network traffic.

Re:even though it's still free

[magsilva]

Or maybe the author simply didn't accept any contribution, couldn't create a good structure to foster the community around the software development and so on.

I do not believe that no one has never ever contributed to Nessus.

Re:even though it's still free

[magsilva]

still free? No way, this kind of "free" is not the same as before.

Re:even though it's still free

[Cheapy]

Oh, of course they got SOME contributions. But if you remember the OTHER reason why he made it closed source was becuase competitors were simply taking the code and using it.

To use hyperbole: If you were fighting a war, would you give your enemies weapons?

Centaur?

Wasn't Nessus that one centaur who killed Hercules?

End of the day, you don't eat good intentions

[xtal]

It's unfortunate it went closed source versus a service-supported model, but in the real world, there's cheques to sign. If one group is doing the efforts and not being compensated, that's the cathedral model, and cathedrals have collection plates. Open source works best when users are developers. That also explains the state of most of the user interfaces on the more complicated projects. (sarcasm, but with a grain of truth)

Something else I've noticed is open source works well on widgets and shared components and APIs. Once the toolset becomes very focused and vertical in appeal, the model works less well - unless the users are also developers.

It will be interesting to see how the forked version works.

Smoothwall has done a good job with their approach. We'll see how it continues in the future.

Re:End of the day, you don't eat good intentions

[Master+of+Transhuman]

"but in the real world, there's cheques to sign."

Let's not forget also that in the real world, there are people who figure out how to get checks signed - and people who don't. That's true for proprietary software companies, too.

If you can't figure out how to make money from open source, the decision is usually to go closed source.

Says nothing about open source as a business model, really (especially since open source ISN'T a business model, it's a development model). Says lots about the decision maker.

Re:End of the day, you don't eat good intentions

Heh... yeah, I'm sure Nessus want to be associated with that Smoothwall guy's insane rants and cursing at users and opensource.

Re:End of the day, you don't eat good intentions

[NDPTAL85]

Actually it says EVERYTHING about the open source business model. If it is far easier to make money with the proprietary business model than the open source business model then that means the open source business model SUCKS .....at least for making money.

What it says about the decision makeer is that they're smart enough to realize that trying to make a crappy business model work is a waste of time.

Re:End of the day, you don't eat good intentions

[_Sprocket_]

The Industry is paved by failed companies following proprietary models. And that's the point; business is difficult no matter what strategy you follow.

Re:End of the day, you don't eat good intentions

[NDPTAL85]

The success rate of proprietary business models is far greater than that of open source business models. Its such an obvious tenent that most people don't even attempt open source business models to begin with because they know that 9 times out of 10 its an excersize in futility. So yes business is difficult no matter what strategy you follow but thats no reason to go about picking a business model even more likely to cause you to fail.

Re:End of the day, you don't eat good intentions

[_Sprocket_]

I'm not so sure that IS an obvious tenant. The problem would be coming up with decent hard data to show this one way or another. Otherwise, this is simply a statement of personal perception. It would seem mine is different than yours.

Having said that - I won't claim that a business based on Open Source code is easy. And, in fact, it is probably counter to many individual's instincts. So it may very well be harder. But on the other side, there are plenty of industries based on commodity products that manage to thrive and differentiate themselves.

An interesting point would be that Nessus was being used as a commodity; someone else was apparently doing a better job at selling Nessus than Nessus' developers / sponsor. That seems to indicate something wrong with Tenable. Whats more, a project as well-received and respected as Nessus should be seeing plenty of involvement - other projects do. Again - is this more about Tenable than Nessus? And if so... will Tenable be around in another couple years?

I know my organization was looking at IDS systems. Nessus, although highly regarded, was not in the running. I would be suprised if I ever see Nessus 3 mentioned.

Re:End of the day, you don't eat good intentions

[NDPTAL85]

The nature of open sources gives way to far more leeches using your stuff than actual contributers contributing. And its not exactly a commodity. A true commodity is a commodity even to the company that sells it. With open source, some company out there is actually putting in the effort of creating the product which is then released for free (either GPL or BSD license) to the world. So for the rest of the world its a commodity, for the author its their creation and they need to profit from it regardless that its a commodity to others. So yeah there was something wrong with Tenable...they're the creators. The open source business model is great if your a leech. Leeching isn't limited to individuals. Whole companies can benefit via leeching. But if you are a creator open source basically screws you. For those who care more about information freedom then thats just fine. But if you have more head on the ground concerns then you need to find another business model and quick.

Re:End of the day, you don't eat good intentions

[_Sprocket_]

The nature of open sources gives way to far more leeches using your stuff than actual contributers contributing.

It can. And it has in some cases. The real issue is whether the leeches are damaging you or not.

And its not exactly a commodity. A true commodity is a commodity even to the company that sells it. With open source, some company out there is actually putting in the effort of creating the product which is then released for free (either GPL or BSD license) to the world. So for the rest of the world its a commodity, for the author its their creation and they need to profit from it regardless that its a commodity to others.

Take any given commodity market and there are expenses to bringing that product to market. Sure - the author is incuring an expense. No suprise there. Sure, they need to make a profit. Any business does. The point being that plenty of businesses operate within markets that do not have the luxury of proprietary products. The proprietary piece is NOT required (even if it can be an advantage).

So yeah there was something wrong with Tenable...they're the creators. The open source business model is great if your a leech. Leeching isn't limited to individuals. Whole companies can benefit via leeching. But if you are a creator open source basically screws you.

Well - I can agree that the situation stinks for Tenable. It has to be agrivating to see someone else being successful with your work where you are failing. But the issue of what was wrong with Tenable is not the Open Source business model. Tenable failed to attract community involvement. And they failed to capitalize on their work, even as others were doing so. Switching to a proprietary model is not going to solve these issues.

For those who care more about information freedom then thats just fine. But if you have more head on the ground concerns then you need to find another business model and quick.

I'm not so sure. My professional loyalties lie with my employer. As such, those high-headed ideals like information freedom are important. After all, the information and architecture should belong to my employer and not any given vendor. I am, and have, been much more interested in products that will fall in line with my employer's best interest. So any business that does pay attention to those ideals will have an advantage over more "grounded" businesses. We do buy Open Source products. YMMV.

Re:End of the day, you don't eat good intentions

[Master+of+Transhuman]

"If it is far easier to make money with the proprietary business model than the open source business model then that means the open source business model SUCKS .....at least for making money."

First of all, as I said, the OSS model is NOT a BUSINESS model, it is a DEVELOPMENT model. Therefore your entire argument is irrelevant.

Secondly, you can produce a business model around the OSS development model to make money with. Red Hat and numerous others do. If Tenable is trying to develop a support income from Nessus, THAT is the business model. Whether it is successful or not depends on the details of that model and the execution of that model.

Ergo, if Tenable can't, their business model is wrong - or more likely nonexistent - or poorly executed - and it's irrelevant to the OSS development model. Therefore going closed source is not going to help them - which is exactly what I predict.

Which means your second paragraph is wrong, too - the decision maker just made another bad decision that will likely end up costing him his business in due time - because he's blamed the wrong thing for his failure and that's guaranteed to continue to make him a failure.

I got some interesting results on my PC

I ran Nessus 3.0 on my Windows PC which caused it to leap up and jump out the window. Anyone know how I should interpret these results?

Re:I got some interesting results on my PC

[Master+of+Transhuman]

Switch to Linux - I assume that was the last output Nessus put up on the screen before the PC left...

Has anyone ever thought...

[Zombie+Ryushu]

That maybe this is a betrayal of the Open Source and Free Software initiatives that we hold valuable.

I'm poor, so I know that I'm going to be flamed into Hell. But I don't care. These people closed source on something that open source proponets need, good, network admistration tools.

Money be damned. They hurt the F/OSS cause doing this. Whether they owned the copyright to Nessus is beside the point. This was a serious set back that will take those of us who use F/OSS Software months and possibly years to recover as we have to go through the trouble of creating an OpenNessus, or FreeNessus or GNessus, and then fight potential legal battles against the closed Nessus because it might hurt the close Nessus's legal battle.

Not to mention those security holes that could potentially go undetected in Linux because of the falling behind of the Closed Nessus's progress. The ripple effects of these actions by the Nessus creators will serve to weaken the overall community.

The hardest part will be finding the qualified people to start the Open Nessus. So, we are looking at two years of fallback.

I hope these guys are proud of themselves.

Re:Has anyone ever thought...

[bamf]

There is a moral in there somewhere.

Support open software, or you'll lose it.

If people had contributed to Nessus in the past then this situation wouldn't have happened. The only people who are likely to be harmed by this are the ones who did nothing to help in the first place.

Re:Has anyone ever thought...

[muleboy]

I'm as big a free-software supporter as anybody (I am releasing all of my graduate work GPL), but I don't see your problem here. You can fork the last GPL version, you don't have to start from scratch. The great thing about the GPL is that there are no take-backs. Is it someone's obligation to keep working on a GPL project you like? Hell no. As long as they aren't trying to take contributors' GPL code and close that (I'm quite sure they have dotted their i's and crossed their t's on this one), then they are doing nothing wrong. Don't like it? Fork. That's probably the single most important aspect of "Free" when talking about Free Software: if you can't fork, it's not Free. Quit yer whinin', it makes the free-software movement look like a bunch of self-entitled crybabies.

oh goody.

[/dev/trash]

It was Opensource that kept it so slow. I am glad it's going closed, so I can get 5 times the speed.

Violating by Dropping the GPL?

[Doc+Ruby]

They can't use v2 source in a v3 product, because then keeping contained v2 source secret would violate the v2 GPL. So they're writing v3 from scratch?

Re:Violating by Dropping the GPL?

[porneL]

GPL only grants rights and doesn't take any. Because owner of the code has all rights to modify and redistribute it anyway, he can ignore GPL.

They just have to throw away any code that has been contributed under GPL, because that code is not theirs.

Re:Violating by Dropping the GPL?

[Doc+Ruby]

Ah, but you just legally violated yourself, asshole. Try saying something someone can understand, or shut up. They keyboard is not your friend.

Re:Violating by Dropping the GPL?

[Doc+Ruby]

Moderation -1
    100% Flamebait

TrollMods can't tell the difference between my Flame and someone else's Flamebait.

Wrong

[Lifewish]

They wrote effectively all of V2, they can do with it as they wish (the GPL is a nonexclusive license, hence the success of dual-licensing). The only hairy issue is patches from the FOSS community, but apparently those were few enough to be handled on an individual basis or something.

Re:Wrong

[Doc+Ruby]

I don't know what you mean by "nonexclusive", but the GPL certainly does require compliance with its terms: any changed GPL'd code distributed requires release of all source code. It's an interesting question whether the licensor is bound by the license - probably not. But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

Re:Wrong

[Lehk228]

there is no question that the licensor is allowed to offer their own GPL'd code under any other license, or stop participating in GPL distribution of the code. any patches submitted under the GPL would keep the projuect GPL only IF the copyright is not transferred to the original project. many projects require copyright transfer to contribute one notable exception is the linux kernel itself, whicch will probably never be anything but GPL due to the massive tangle of licenses covering damned near the whole thing.

Re:Wrong

[say]

If you study FSF's GPL howto, you'll notice how important it is that you first preserve your copyright of the code, then GPL it. This is to establish that you - the copyright holder - choose to do the GPL on your own rights. Notice how this only works because yo own the rights yourself.

You can obviously withdraw this later, but people who have used/copied/improved/whatever'd your code won't be forced to stop using it. This is specifically stated in the GPL. But I can take what I own the copyright for, and release that (or a derivate) under a different (non-GPL-compliant) license.

So the licensor is obviously not bound by his own rules. He defines the rules, because he is the licensor. The code he has released can't be recalled to his command, but he can do what he wants with his own copy. Contributions to a GPL project is often copyright-transferred to the project maintainer, which would make the above apply to them as well. If not, individual agreements would have to be made if Nessus wants to bring them into v3.

Re:Wrong

[Yaztromo]

But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

The simple solution to which is simply to remove the contributed code completely, and independently re-implement its functionality (if having that functionality is desired and/or necessary).

I had to do something similar (but for a release in the opposite direction -- from closed source to OSS) for the jSyncManager Project. The version 1.0 series was coded entirely by myself, and was only ever released as closed source software (albeit as 100% free-as-in-beer software via the web; I completed v1.0 of this project as a thesis project, and felt that getting outside help by allowing others to inspect and comment on the code might have been considered "cheating" by some). A few weeks after v1.0 was released, I was hired by IBM Canada as a software developer.

The problem then became that nasty contract provision you have to sign when you join a company like IBM: the "what's yours is ours, and what's ours is ours" agreement, which basically states that anything you develop while employed by the company, even if it is completely on your own time and uses nothing learned from your employment at the company, belongs to the company. Fortunately, I was able to list existing technologies I had developed prior to joining IBM on said contract -- they were exempt so long as I stopped working on them while employed by the company.

There was, however, significant interest in the technology within IBM, and an IBM branded version called "ManplatoSync for Java" eventually made its way to IBM's alphaWorks website. It included a significant rewrite of the GUI code, along with some new functionality, parts of which were contributed by other IBM employees. The intention was always to release the sources under the IBM Public License -- but the legal eagles who had continuing discussions (which I wasn't part of), and kept holding off on a source release (the whole discussion of which apparantly died once I was released from the company).

When I was later let go from the company, and free from their restrictions as to what I could and couldn't work on, I decided I wanted to release the jSyncManager as Open Source Software. But I couldn't just take ManplatoSync for Java and re-brand it back to the jSyncManager -- it was encumbered with IBM copyrights. I couldn't even retain functionality since jSyncManager v1.0 which I myself had written in those intervening 2.5 years, because it too was considered IBM property (nevermind the fact that I wrote it and didn't get paid one single red cent by IBM for any of it. Indeed, when I was later invited to speak on the technology at various conferences, the company forced me to use my own vacation time to do so).

At that point, I had two choices: give up and find something else to work on, or suck it up and go back to the pre-IBM sources and work from there. And that's what in the end I decided to do: I took my pre-IBM sources, made them Open Source, and then worked my ass off to re-implement all of the lost functionality (along with a lot of functionality that the IBM releases never had, like USB device support and network data synchronization), and released it all as GPL/LGPL software.

The Nessus team could very well have elected to do something similar -- just strip out any external contributions, and then work from there. The unfortunate thing about going from Openn Source to Closed Source, however, is that contributors are now forced to take the teams word for it that they stripped out any such contributions (assuming that they didn't re-assign copyright to the Nessus project when they were submitted -- something I've never asked any of my contributors to do), as you can't look at the source to see if your code is still in it (i

Re:Wrong

[Doc+Ruby]

That's a pretty clear analysis - thanks. And a cute .sig, too :).

Re:Wrong

[Doc+Ruby]

That's a fascinating story that certainly sheds light on this whole subject. I'm curious why you released the source under GPL, and whether that worked out as you expected.

Re:Wrong

[Yaztromo]

I'm curious why you released the source under GPL, and whether that worked out as you expected.

There were a few factors which played in this decision:

• I was fresh out of work, and needed a project to keep me busy,
• I didn't want to wind up in a similar situation with my next employer. By releasing the code as GPL/LGPL, and putting it on SourceForge, at least it couldn't be buried in a filing cabinet somewhere, even if I weren't permitted to work on it anymore (and with more and more employers in the computer industry permitting their employees to work on OSS projects on their own time, I was hoping that by being OSS when joining any such company I could potentially continue to work on the project under such a framework),
• Perhaps most importantly, the project was getting too big for just one person to work on. I needed outside help, but didn't have the money to pay people to work on it. Nor did I think it would be feasible to make it into a commercial product (although corporations are our biggest base of users, the jSyncManager is a tool that only a small fraction of a percentage of corporations have a need for, so finding customers would have been extremely difficult and expensive. The corporations which use the jSyncManager are spread all around the globe, with the majority of them overseas. Being Open Source made it easy for them to find us and try out our code with no layout of funding from me -- under the closed source model I would have had to spend a pile of money on all sorts of advertising just to find these customers in the first place)

How has it worked out for me? As with anything, there have been upsides and downsides. On the upside, in the end I have made some money from the project, through being hired as a developer and consultant in implementing it for a medical data system. I'm not making anywhere near what I did as a developer at IBM, but it's sufficient to live off. It's also allowed me to make some contacts and open some doors -- it's quite easy for me to show an organization my experiences in managing a diverse, dispersed team developing a fairly large project, and they can also see the overall project (and code) quality.

On the down side, I know what it's like for a project to have more users than contributors. I'm still the largest contributor to the project, and do the vast majority of the work (although this itself has increased and decreased over time -- some contributors come and go, while others have become too busy with their professional lives to contribute on a regular basis, but still follow the project). External contributions are very rare (but are greatly appreciated whenever they are given!). I can pretty much always use more help -- as it is right now, I do the vast majority of coding, administration, technical support, releases, and documentation. And as I do have responsibilities outside the jSyncManager Project, this often means that development appears to be very slow (it has been more than 2 years now since our last "final" release, although we have had a number of alpha and beta releases since that time (part of the delay being due to some time I served in the Navy and was unable to do any development)).

It also doesn't completely help that the very devices they project is designed to communicate with (PalmOS based handhelds) have been seeing a diminishing market share. It's always easier to find contributors and users when your target audience is increasing, rather than when it is decreasing (although a decreasing share can have an interesting bubble-effect, as those who are still embracing such a technology look for groups they can partner with for a reliable, medium-to-long term solution. Open Source is very attractive in this area, as you never know when a commercial, closed source partner might go out of business, or stop offering the product or support your organization needs).

So, as with anything, you have to take the good with the bad. My eperiences seem to have tended towards the good, although the benefits aren't always immediately tangible.

Yaz.

That which is within my power....

[Zombie+Ryushu]

It is beyond my ability to help them. I have used what little expertise I have to do what I can to contribute, but I caannot contribute what I do not have. Only now am I completeing Intermediate C++. Why did I choose to take Intermediate C++? It wasn't a part of my major in IT, and I didn't need any more electives.

I did it because this is the third neglected Open Source or Closed source project I had seen. First ZDaemon, a formerly Linux accessible Network for Doom 1, 2, and Final Doom, until the maintainer decided he didn't like Linux. And then FreeDroidRPG because the lead programmer went to work for the Red Cross, a noble pursuit, but theree was no one to replace him.

Now there's this.

open source != open source project

[penguin-collective]

'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.'

If your open source project is popular but you don't manage to attract contributors, the fault is likely with the people managing the open source project: any popular project potentially has hundreds of contributors.

Just writing software, making it open source, and having it become popular doesn't create an "open source project"--you have to design and manage the project as an open source project. You have to make it easy for people to contribute, organize the code appropriately, be nice to potential contributors, and give people an incentive to contribute.

(Just one data point: last I looked at Nessus, it didn't look like a good foundation to build on for our needs.)

Re:open source != open source project

[Master+of+Transhuman]

Excellent point.

As I say in posts elsewhere, the fact that supposedly nobody contributed to Nessus probably has a REASON behind it, and in any event is irrelevant to the decision to close the source. They're simply trying to say that it won't make any difference by closing the source since it was all theirs anyway - and that it is not necessarily true.

The REAL reason is they can't figure out how to compete against people using their product without closing the source.

Re:open source != open source project

[pjay_dml]

"If your open source project is popular but you don't manage to attract contributors, the fault is likely with the people managing the open source project: any popular project potentially has hundreds of contributors."

EXACTLY! Thank you for pointing out the bloody obvious, that those who commit will never be able to accept, nor identify, as selfcriticism is (seems to be) a virtue.

I've seen this with so many projects, its not even funny. One wont believe, how many projects out there expect the product alone will suffice for hords of developers to lick their fingers to contribute.
And when it doesn't happen, Open Source sucks, not them, nor their approach to project managment, nor the interfaces they provide for contribution (from API's, to web forms).

...just one more anecdote to highlight this issue *sigh*...

Re:open source != open source project

[shaneo]

This is pretty radical over-simplification of the situation.

The open source development model typically requires either:

  a) an individual or small team to build a single-purpose utility and subsequently share it with the community (e.g., fetchmail);
  b) a very compartmentalized functionality tool where pieces of significant value can be delivered by building smaller components (e.g., the gimp);
  c) an individual or group with some funding source building a larger utility/application and while either sharing it or not during the development process, usually where the "partial work" is of nominal value (e.g. Linux)

Many open source projects suffer from the delusions that the world will be their free development team because they have a good idea (look at all the projects with no files uploaded on Sourceforge) or misclassify themselves in the above categories.

Open source is not a well-proven model for applications per se. You end up with either gimp-like poor UI design (compared to commercial counterparts) or a commercial organization having to co-opt development for their own, ultimately commercial, purposes (e.g., Open Office). There are very few examples that violate this, although there are a few.

Projects absolutely need management, but few fail because they're poorly managed. Most fail because they offer no immediate value to the world at large in their current form (see comment above), and still others fail because they're poor implementations or poorly architected. Yes, bigger projects require bigger and better project management, but if they're that big, they're typically funded commercially to get those resources.

Nessus has had a funded company behind it for a while now and was a well-managed product. However, funding your competitors by providing free technology and content (e.g., Nessus plug-ins) is rarely something that's understood by investors and Boards of Directors.

GPL is a lisense, not a copyright transfer

[xtal]

If I write code and release it under the GPL, I retain the copyright. I am free to issue that same code, under another less-free lisense to use. Or, completely closed, as it is in this case. That decision goes not affect prior releases.

I am NOT free to pick up my marbles and go home; anyone USING the GPL version of the software has been granted the right to redistribute, so long as they include the source and maintain the GPL. That's the "viral" bit. The code has been infected by the GPL, and any modifications are now subject to those terms.

A good example of this is FFTW; you are free to pay a resonable fee if you wanted to include this in a product that was closed source, because the copyright is managed independant of the GPL. At least, that was the case.

The only issue is developers who contributed without an express written transfer of copyright, or a prior agreement. That code would have to be removed and re-written.

So Here's The Deal

[Effugas]

OK, so this is a fairly painful post to make. Ron Gula and Renaud Deraison were the first guys to bring me out for an interview after I graduated from college, and I've been supporting their attempts to manage those who really do just steal Nessus. But, in the interest of intellectual honesty, I've been asking around regarding the closing of the Nessus source.

First of all, according to multiple sources, apparently the reason why there isn't a significant number of free plugins is because Renaud et al simply don't accept them, or when they do accept them, they substantially rewrite them enough such that a non-free version is what eventually makes it into the source. Now, I don't know this from personal experience -- and Renaud et al are welcome to deny this -- but this preference for suppressing the GPL component of Nessus has been strong enough that contributed free plugins have been suppressed because of overlap with non-free.

Such behavior does not grow a developer community. Tenable has implied that there's alot of leeches out there, and while indeed they have to suffer the most pernicious of parasites (companies that just rebrand their code!), there's good evidence that says the reason they don't get much code from the community is that they supposedly refuse what they do get.

I wouldn't speak up on this, but I have to balance my continuing appreciation for Renaud et al's work (which, mind you, still has a very nice license for our needs) against the need to stem accusations that nobody ever tried to give back to Nessus. People have tried.

Re:So Here's The Deal

[thogard]

...do just steal Nessus
So are you saying the people who use it without paying are stealing it or are you talking about the compaines that are making other products and taking the ideas out of Nessus and using it in their own products?

Re:So Here's The Deal

[Effugas]

thogard--

      There are entire companies that just take Nessus, slap a new UI on it, and release a 1U appliance that audits enterprise networks.

Let me ask you a question

[paranode]

Do you enjoy being poor then? Because if you do then maybe you can create a useful product that's used by tens of thousands of businesses at no charge and you will be poor forever.

Yeah the hardest part was finding qualified people to work on the existing open Nessus. Nobody did... competitors got the product for free and used it for their own profit, now we are here. Kudos for Nessus for having the balls to put food on the table despite the rantings of inconsequential zealots.

Thanksgiving

Personally I regret their decision to go closed source but let's not forget that open source developers are *volunteers*. Just because they like to donate their time writing free code *does not* mean it should be taken for granted or that it is their duty. So let's thank the nessus developers for all they've given us so far instead of bitching about why they're not continuing to give.

What do you mean, "Funny"??

[lampiaio]

"Funny" gives me no karma points! Get those informatives moving!

Re:What do you mean, "Funny"??

[Surt]

You've completely missed one of the fundamental rules of slashdot moderation. Mods do the opposite of what you tell them to do.
Mods: I forbid you to find this post insightful!

Fork Nessus

[Philip+K+Dickhead]

F**k Tenable.

rooted though nessud? we don't care.

Q: "Does Nessus 3 need root/admin privileges to work? Did you use any method to reduce the risk of being exploited? (multiple processes, privilege separation/revocation, chroot)"

A: "(...) Moreover, whether nessusd runs as root or not is irrelevant. If an attacker can execute arbitrary code in nessusd, he'd be better off sending the results of the network audit to his @gmail account rather than try to compromise the Nessus system itself. (...)"

That has got to be the stupidest shit I have heard to date. "Yeah well, if nessusd is flawed that doesn't really matter because our 1337 scan results are so much more important than securing the daemon!"
(And yes, i do realize that having it run as root makes sense for sniffing / nmap use and the like, but saying that an attacker wouldn't want to root the computer running nessus is just plain stupid.)

Security and Trust

[danFL-NERaves]

Nessus is a wonderful product and I support the creators right to determine the destiny of this project. Tenable apparently was facing stiff competition from those who took advantage of the free (as in beer) aspect of their GPL license to open a competing bar.

My concern with the closing of the source on this project is specific to its function, ensuring security. Security is one of those funny program spaces where perception is all but reality. Enlightened paranoia is the order of the day. And the wonder of FOSS security software is that being able to view the source of the software builds trust in the product.

One of the main strengths of FOSS software has always been its ability to distribute debugging to many eyeballs. With a successful and mature product such as Nessus the need for this tends to decline as the profesionalism of the creators and community increases over time. However this is not just an Open Source Software product, it is also a Security product. So in addition to distributed eyeballs leading to code maturity they also engender trust to its professionally paranoid adopters.

Nessus is a good product and it has earned my trust, but one of the reasons I choose to use it and many other security software packages is that they are Open Source. I know that should there be a problem on a consulting job I can pop open the source and rule out the software's culpability. When I have to resort to closed source commercial software I can only depend on the producing company's desire to abate liability.

But now Nessus lies in a nebulous area between those two examples. And that's cause for unease on my part as user. For Nessus I have no problem continuing to use it and trusting Tenable until cause is shown for not doing that. But whither go I if other FOSS Security tools close source?

Or something..

Re:Security and Trust

> One of the main strengths of FOSS software has always been its ability to distribute debugging to many eyeballs.

This statement is strictly true, but I wonder if it's what you meant. I frequently hear the argument that many eyeballs leads to better code, but does anybody have actual evidence of this? (Having lots of debuggerers helps improve code, but it's not sufficient if you aren't finding all of the bugs to debug in the first place. Lots of people can look at code, but that doesn't mean they're going to spot the bugs.)

Re:Security and Trust

[danFL-NERaves]

The reference for this is found at http://www.catb.org/~esr/writings/cathedral-bazaar /cathedral-bazaar/ar01s05.html in Eric S. Raymond's essay on software development, The Cathedral and the Bazaar. He does not cite specific examples or sources but I am sure if you email him he could supply one or two.

One salient thing to mention is that in the essay he does not specify that the eyes have to find bugs. They simply have to ask the questions that lead the primary programmers, who are often so close to the code as to lack perspective, to examine the relevant code. The e.g. he uses is a tester who asks the developer, "Where are you zeroing that buffer?"

Scenario

[jlebrech]

Here is my scenario.

I start a project with my company, its getting pretty complex, but im starting to like what i do on that project.

I ask my boss if i can use it for a personal project hence work on it when im not in work.

He agrees to open source it so other people can help me.

The program Reaches v1 to my companies standards, so that they dont need me.

I lose my job, but carry on my GNU program.

They close up the source to the program and start selling it.

I either keep the name of my program or call it OpenWhatever.
And maybe live on paypal contrib's

Keep dreaming

[ShatteredDream]

Do you honestly think that most people would pay $500 for a product that can be acquired for $25 if rebranded? Yes, many people would rather support the developers, but they'd also rather save a lot of money. In the end, if it saves a lot of money, people will tend to opt for the rebranded knock off.

Re:Keep dreaming

[grcumb]

"Do you honestly think that most people would pay $500 for a product that can be acquired for $25 if rebranded?"

Yes, I do. I also think that there's evidence that asserts exactly this. If your assertion were true, then CentOS (free, re-packaged RHEL) would be one of the most popular server distros in the corporate world. It's not.

RedHat is a very profitable company because they see beyond the logical fallacy in your statement. You beg the question that people pay for software, not the services provided and the benefits accrued from it. RedHat very clearly saw that customers were not fundamentally interested in paying for the tool. Rather they were interested in investing in a process that they would profit from.

Others in this thread have already argued the case that Nessus' problems derive from its business model, and that closing the source will ultimately do little to address this. It will have some effect, no doubt, but will likely do nothing more than alleviate some of the symptoms.

I would liken this approach to the way Microsoft has tried to fend off the Samba folks by tweaking the implementation from one release to the next. It ensures that the Samba team will always play follow-the-leader, but has negative implications on their future. If they change the protocol too little, they make it easy for Samba to maintain compatibility. If they change it too much, they encourage the uptake of Samba by those who don't want to cope with the effects of disruptive change in their systems.

Even Eric Raymond (whose filament hasn't received the full wattage for some time) was able to perceive that FOSS make certain software marketing fallacies unsustainable. The biggest of these is that something infinitely (okay, trivially) replicable makes an economy of scarcity unworkable.

Ron Gula is trying to re-create the impression of scarcity. Having concluded that there actually was a scarcity (i.e. no one else was contributing to the project), he decided to trade on that by mandating that he (and his staff) should be the only one allowed to input into it. Ultimately, he will have to deal with the tension caused by the degree to which Nessus drifts from its established base. Too far, and he will lose customers. Too close, and... he will lose customers.

Support

[xant]

Anyone can support Nessus whether they own the code or not. They can't fix bugs in it, but that's not what support is really about. Support consulting is mostly "help us set this up" or "help us customize this". Although I've never used Nessus, I suspect it's highly configurable and customizable, as are most products that have any features meaningful to "support". The company has achieved nothing by this move, and Nessus will probably become much less popular because of it, until an open source replacement for Nessus 3.x appears and the company goes under completely.

Re:Support

[Master+of+Transhuman]

Agreed. And my prediction exactly. Tenable has cut its own throat.

They've blamed the wrong thing for their failure to date - which guarantees greater failure in the future. Classic bad management.

TROLL! DO NOT MOD Doc Ruby UP!

You are a submarine troll. Know what that means? You post to Slashdot for a week looking for karma and then burn it all off on blatantly offensive comments. Remember that whole flaming tree you posted about a gay governor a few months ago? How about that whole unfounded Griffin critcism? And what about your nasty comment about someone's username?

When you reply to these posts, you link to your own posts. Couple that with your bio and you show yourself as one huge egomaniac!

That's *MR.* Self-Righteous Asshat to you.

Mods, don't feed this guy. Maybe without a karma stash he won't go on these trolling runs.

--
Trolling all trolls since 2001.

I know rebranding was the cause

[hug_the_penguin]

...but there are other ways to deal with it. One of my key bones with the GPL is that it doesn't do enough to protect small developers and pretty much makes it easy for corporate giants to walk all over them due to their increased advertising and branding power. An example is Mandriva's Embeddix, a rebranded LRP (Linux Router Project). The problem here is that the LRP shut down because of this, they got fed up of mandriva doing no work and stealing their code and so they stopped developing it, thus the F/OSS community loses out in the end.

The GPL is bulletproof at some things, and a flimsy sheet of paper in other

Re:I know rebranding was the cause

out of curiosity, how would you add to/change the gpl to add protections for smaller programmers from Giant Corporation(tm)?

Haha! Flamebait!

You are a submarine troll. Know what that means? You post to Slashdot for a week looking for karma and then burn it all off on blatantly offensive comments. Remember that whole flaming tree you posted about a gay governor a few months ago? How about that whole unfounded Griffin critcism? And what about your nasty comment about someone's username?

When you reply to these posts, you link to your own posts. Couple that with your bio and you show yourself as one huge egomaniac!

That's *MR.* Self-Righteous Asshat to you.

Mods, don't feed this guy. Maybe without a karma stash he won't go on these trolling runs.

--
Trolling all trolls since 2001.

There is a fork

[timbrown]

Speaking as one of the folks behind the OpenVAS (www.openvas.org) fork, there are plenty of people interested in maintaining an open source alternative. Interestingly many of these people have attempted to work with Tenable in the past and have had their contributions ignored. IMO Tenable didn't understand how they could make money off the Nessus project without closing the source.

As a side point, it would be interesting to understand how Tenable have dealt with contributions that they did accept for version 2 - have they been removed completely from version3?

Real support requires software freedom.

[jbn-o]

Anyone can support Nessus whether they own the code or not. They can't fix bugs in it, but that's not what support is really about. Support consulting is mostly "help us set this up" or "help us customize this" [...]

If by "own[ing] the code" you mean holding the copyright to the code, your first sentence is quite right—free software allows users the freedom to support the program without holding the copyright to the program. What passes for support is often instruction on how to use a program. Support definately includes fixing bugs in programs, even bugs in software one doesn't hold a copyright to. Real support requires the freedoms to run the program at any time, inspect how the program works, change the program to suit one's needs, and distribute copies of the program (changed or not). Depending on whatever the proprietor lets you customize is just working within the narrow confines of the proprietor, effectively letting the proprietor determine how much you can help yourself and others.

MOD PARENT DOWN

Well Mr. Fucking Stupid Karma Whore, everyone who starts an account begins with score 1. Since you are currently at score 0 by default, this means you must have trolled or posted trash in quite significant amounts.

And now you are trying to raise your default, probably to troll again in the future. I think you fail to understand a fundamental property of the moderation system.

Both your posts should be modded up to +5, Funny (giving no karma) and _then_ modded down with Overrated to stifle your lame attempt.

And btw, neither the parent nor the grandparent are deserving the Funny.

You're looking at this the wrong way.

[cbreaker]

It seems like they've modeled their company the same way as a closed-source software development shop, and it's not working out using the GPL, so they're closing the source. I can't imagine why it didn't work. (sarcastic)

Think about it. Let's say Microsoft creates some tool, and develops it in house. They open the source under the GPL. Would you volunteer your time to help a company like Microsoft further develop their software? Sure, it's GPL, and so you can do whatever you want with it, but it's still an in-house project and there's no community surrounding it.

I believe the success of a GPL product is in no small measure based on the development model. They need to be designed in a way that people really feel like they have a stake in the project, that they can make a difference. When you have a company that ultimately has the last say and develops the code in-house, you have zero stake in the project. This company could just go and close-source the next version, just like they've done here. Sure, sure. You can fork the project. And that's probably what will happen here - and hopefully the fine developers that step up to the challenge will foster a better community then this company failed at creating.

There's a LOT of developers being paid to write GPL. Take a look at any large FOSS project - and look at the developers. A lot of them are paid for their work, and rightfully so. It's obvious that you're the one who's a 'zealot' here - a sort of reverse zealot that believes FOSS is a waste of time.

This is so WRONG

This is way wrong dudes. Then Nessus should not be using NMAP at all, period, end of story. They go "close source" then don't use someone elses work like Fiodor's. Am I right?

don't forget

[ilf]

open source fork of nessus 2: http://www.openvas.org/

Don't worry. Its not a big loss.

Look, nessus was never that great to start with, and scanners are CHEAP these days, its not that big of deal either way. I know, I know, everyone come rushing to its defense, how dare anyone say anything bad about something open source, but lets all be honest with ourselves, nessus is (and has been) S-L-O-W, its exploits were always way behind, its reporting engine is still weak and last but not least, port scanning with nessus is painfully slow. Nessus only became popular *because* its open source, and finally people could scan their own networks without the high cost of a scanner like ISS, Cybercop, eEye, and others. Once nessus goes closed, what makes it special anymore? How is it any better than other scanners out there? Its clearly not better in the technical sense, and we only have their word for it that it will be faster - but hey! You gotta pay now kiddies! OK, so now its fair to compare it with the other commercial closed source scanners, which have frankly been better than nessus the entire time.

In short, why should anyone care about using nessus anymore? Especially 3.0? Frankly, its a good thing that its going away, maybe finally some group of experts will put some effort into make a really good open source scanner, and everyone will stop leaning on nessus as the best open source can do. It would be really nice to see a real movement to create a fast, reliable, vuln scanner that doesn't suck up a ridiculous amount of resources and one that won't take days to run on a real network.

No offense intended at all to Renauld, nessus was nifty, but it was never better than the commercial scanners. The bottom line is that its really not that good of a scanner, its just the best *free* scanner. For something thats free, nessus is great, but thats it, nothing more, so its not a big loss.

And here's what almost no one wants to talk about, vuln scans are SO cheap now, that you can get a full blown managed service to scan your network everyday for a year, on thousands of IPs, with full remediation management, trouble ticket integration for only a couple of thousand dollars. Most mid, and certainly all the large companies wouldn't even see that kind of cost show up on their balance sheets. If a service is that cheap, what is the value of a vuln. scanner? Why even buy one anymore? What on earth does a simple scanner like nessus have to offer now against products with larger feature sets, and full blown managed services that offer everything? Against a price point that low, and competing managed services with all those features that Relatable isn't even claiming they will *ever* have, its no wonder they are scrambling to try and make some money anyway they can. Their business model is obsolete, and they don't realize it. Rather than adapt to the market, they are trying to capture the glory days of the mid 90's, when closed vuln scanners sold for tens of thousands of dollars. Those days are long long gone.

ISS made the scanner market back in the 90s, and nessus came along, as a commercial product, too little and too late. This is a last gasp from Relatable. Maybe someone will fork nessus, dump the slow engine, keep the nasl scripts, and make something that doesn't suck. Who cares what relatable does. Let em close it, it will finally motivate people to take nessus where it belongs, away from the dead idea that you can make an entire company around a vuln scanner. Nessus has needed to be forked for a long long time, Renauld has too tight of a grip on it, and no one felt the need to take it anywhere else.

Now, hopefully, people will see there is no choice. Either fork it and keep it alive as a better scanner, or accept that the market has become so commoditized that you can afford to buy a good scanner (not nessus), or get a managed service to do it for you. But don't waste your time worrying about this, its not that big of a loss.

GPL and IBM/Sco

[randyflood]

Let's say you have a bunch of code to which you own the copyright to (code A), and then some other code (code B) which was released to you under the GPL. If you combine the two and release a product, then it has to be released under the GPL. If I get the combined product (including the source code) under the GPL, and I want to redistribute it, I have to do so under the GPL. However, you still own the copyright to the code you have originally developed (Code A). You didn't license that code to yourself under the GPL. You have an inherant right to distribute it under whatever license you want. That's why companies can start out with closed source products, and later decide to relase them under the GPL so long as they control the copyright.

There was a similar issue about code that IBM deleloped in the whole IBM SCO trial. Basically, IBM develops some code to which they own the copyright. Then, they port it into UNIX. Since they still own the copyright, they then port it into Linux. Just because they release the code under one license for OS/2, another license for UNIX, and yet a third license for Linux does not mean that they somehow have lost their copyright of the code. It just means that they have licensed people to use it, under certain, limited conditions.

Re:GPL and IBM/Sco

[_Sprocket_]

I understand all that. But it still does not demonstrate a time when any GPL violation lead to the automatic relicensing of code under the GPL. To be sure - conforming to the GPL would require such. But once discovered, violators have had the choice of either replacing the GPL code with something else or licensing their derivitive under the GPL.

That's not to say that violating the terms of the GPL won't have an associated cost. Violators will either have to release code they hadn't intended to release or go to the expense of replacing that code. But then, a company who violates the terms of a proprietary license is going to find themselves in a very simular situation. Again - the problem seems to be developers who either think they can get away with copyright violation or those who fail to understand that the GPL is not public domain (there's probably a dig at SCO here).

Another way to attack this is looking at the violation of a proprietary license. How are those cases resolved? And does this resolution force the compliance of the license involved?

Experience from the trenches

[PGillingwater]

For the last five years, I have been running a company with 10 people which lives from open source.

We have made enough money to sustain the company (and pay high Austrian taxes), but not enough to get wealthy.

Specifically, we have made money from other people's efforts, i.e., Nessus, Snort and NMAP. We've done this by building on the work of others, and putting a usuable front end on them for corporations (we call it Event Horizon), plus adding commercial-grade support. Sourcefire did the same thing for Snort (we're a reseller of theirs too).

In return, we have released two major projects to the Open Source community: Outreach Project Tool (a project management and collaboration support Web gateway), and Database of Managed Objects, an audit support tool used to document security systems.

We haven't made any money out of OPT or DMO, but we have earned money from supporting the work of others. We won't mind if other people make money out of products we have developed -- that's the freedom which GPL offers.

About the future -- we are trying to earn license fees from DMO, since we just released it under GPL, but so far no takers. Please download it, try it out, and if you like it for your company, then persuade them to take a license. It works under Windows and Linux too!

--
cheers
Paul Gillingwater
P.S. I may be the CEO with an MBA, but I still write code...

Re:Experience from the trenches

[PGillingwater]

Sorry, I posted a bad link to the Outreach Project Tool. There is a great demo site here.

FUD!

[sadler121]

FUD!

I would much rather a sercurity app be F/OSS so I *can* see all of the code and spot possible vulnerabilities myself. Of course that is dismissing hte fact that, according to TFA most people are not coders and not contributing to the code, still, as far as security by obscurity goes, that never works out, just look at Microsoft...

Gratis software foundation?

[Per+Abrahamsen]

I am a strong advocate of free software (free as in FSF, not OSF).

However, as has already been stated, that does not mean this is the end of free Nessus -- it will still be free, except we no longer will be able to look under the hood.

You are an advocate of free, as in FSF, software and you still consider software free in any meaningful way when you no longer can look under the hood? I think you need to learn a bit more about what the Free Software Foundation stands for.

By "nonexclusive"

[Lifewish]

I mean that, if they license their code under the GPL, they are also free to separately license their code under any other system they like. It's written into the license.

But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

That's what I was talking about before. Apparently they didn't get enough contributions that they couldn't easily write them out. This almost total lack of outside contributions in the open-source version was the reason why they apparently gave up on that codebase and reengineered it based on the code that was absolutely 100% theirs.

Re:Seems simple enough... and a question

[mrmtampa]

"code contributor who in **good faith** contributed a patch or entire modules"
We're forgetting about testers. They play a huge role in OSS development. Not everyone codes. Most admins don't, at least not very well (I'm sorry, it just slipped out). But aren't they the ones submitting the majority of bug reports on Nessus?

I've got a general question about the GPL. How do you revoke it? Even if you own the rights to the project, which I concede that you do, how do you disentangle? Aren't you now selling propietary software that includes OSS? Could someone more knowledgable please explain.