Slashdot Mirror
Nessus 3.0 discussed
An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."
Nessus 3 will be free of charge for end users or service providers or consultants to do whatever they want with it, except put it into a product or re-brand it as their own software.
They are looking to make money on their support of the product, which is a well astablished model.
Fyodor (author of NMAP) posted about Nessus going closed source in the nmap-hackers mailing list some weeks ago. It seems that Teenable's main point is not GPL-resistance from the enterprise customers, but rather the fact that there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors. I, for one, can see their point, even if I am a strong advocate of free software (free as in FSF, not OSF).
However, as has already been stated, that does not mean this is the end of free Nessus -- it will still be free, except we no longer will be able to look under the hood. Since many of us automate Nessus directly through the command line client and parsing of NBE files, I believe that this will impact very little even power users.
/usr/games/fortune: command not found
Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it?
If the project is (L)GPL and you contributed under the GPL, they can't close the source.
If the project is, say, MIT, X11, or BSD licensed, and you contributed under one of those licenses, then they can.
I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.
There is no problem; a project like Nessus shouldn't need more than a handful of developers. However, a large user community is still useful: they act as testers and generators of ideas.
How long until we see OpenNessus or (insert clever derivative name here)?
I would guess fairly soon. Personally, I'd like to see a rewrite, though, and a better UI.
Depends on the license. Some things, such as the linux kernel, just want you to license it under GPL to them, in which case they're going to have to write a replacement for your part. But other projects require you to assign copyright to them - mysql and qt do this so they can release closed-source versions, but also e.g. the FSF requires assigning copyright so they can enforce violations better. I imagine Nessus required assigning copyright, otherwise a license change like this would be impractical. But then again, the reason for this is apparently that they were getting very few code contributions, so maybe the author has just rewritten everything that was contributed.
Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.
It's happened already. http://sf.net/projects/segusius
I am trolling
Unless all contributors agree to re-license their work. IANAL, but I think this allows future versions to be closed.
Two forks are mentioned on wikipedia:
OpenVAS
Porz-Wahn