Metasploit As Case Study In Selling a FOSS Project

coondoggie sends in a Network World interview with HD Moore on the occasion of the commercial release of Metasploit by Rapid7, the company that bought it half a year ago. The pseudonomous author uses the occasion to explore the question of what happens to a vital open source project once it is sold commercially. "Metasploit might become one of the first examples of how a completely FOSS project grows up to be successful. It is the venture capital model without the startup money (though VCs are funding plenty of OS startups these days, too). Build it. They will come. Someone will buy it. And if you want them to stay, the FOSS project better remain as well supported as the eventual commercial version. This isn't the first open source project to have been bought by a big guy. And the jury is still out on on most of them. I could argue that Metasploit is a bit unique in that it didn't have a commercial arm when Rapid7 acquired it. That could not be said about SUSE or MySQL or even Gluecode (bought by IBM), etc."

Sustainable open source?

[alain94040]

The challenge for open source is that, while it's a fun hobby, how can we make it sustainable?"

sustainable is the key word for me here. If selling to a private corporation is the only sustainable way, that's too bad. That's why I like hybrid software licenses that combine open collaboration with some guarantee of revenue-sharing. Can we find a way to work together on a piece of code but still sell it for a reasonable price to end-users and sustain the developers? I sure hope so.

Because in the case of Metasploit, what do you think happens when all the developers now have a paying job? Even though the code is open, if it doesn't get maintained, it will die. So in practice, the project is basically at the mercy of the acquirer.

Re:Sustainable open source?

[ushering05401]

A revenue sharing license limits the contributor base for your project based on increases in accounting overhead to track and disburse monies over time.

And that page you linked is scary. They claim to pre-define growth rates on participating code-bases to protect against devaluing of contributor shares. WTF.

sounds like a decades-out-of-date argument

[Trepidity]

The challenge for open source is that, while it's a fun hobby, how can we make it sustainable?

That's pretty much what people said in the 80s, arguing that the GNU project maybe could build a text editor as hobbyists, but certainly couldn't build something like, say, a compiler. Then Linux was just a hobby project, fun, but surely nobody could use it for real work. Debian, a whole OS without any paid devs? Ridiculous! And yet despite being supposedly unsustainable, the flood of open source software doesn't seem to be showing any signs of stopping? Next you're going to tell me these hippie kids will write a free encyclopedia, too.

Sure, exploring ways of tying together funding and development is always interesting, but I don't think it's because of any crisis of sustainability...

Re:sounds like a decades-out-of-date argument

[LWATCDR]

"Debian, a whole OS without any paid devs?"
1. Debian is not an OS. It is a distro.
2. No Linux Distro I know of is free of code from paid devs! RedHat, IBM, Novell/SUSE, Intel, and many more pay people to develop code and then contribute that code to Linux. So any Distro that includes say.. The FOSS Intel video driver is using the code of paid devs.

Even RMS states the F in FOSS does not mean unpaid or free as in beer.

And I disagree about a crisis of sustainability. FOSS has not been wildly profitable as a whole. It has not inspired a huge numbers of vibrant projects. For every FireFox there are tens of thousands of projects that never get past a page on source forge.
Even some really good FOSS software just sort of lingers on the fringe. One great project IMHO is DeVeDe which is a super simple and easy to use DVD creation tool.
"I am not the dev but I use it"
Without a clear source of revenue projects will fade.
BTW the problem is getting worse for closed source software.
Most people have found software that frankly is good enough so they are not buying new software as much.
Also people have found free software on the internet both in the form of FOSS and in the form of piracy.
That is why you see so much interest in mobile apps. It is still possible to make money and maybe even grow large in that space. On the PC it is just too crowded.

Re:sounds like a decades-out-of-date argument

[jd]

Fair point, but look at some of the contributors to Linux: IBM, SGI, Hewlett-Packard, Oracle. They contributed largely in the spirit of openly contributing (highly commendable) but they also contributed because they were going to get some sort of return on that investment, no matter how indirect or long-term it might be. This was certainly not the reason Linux became what it is, but to ignore the fact that they help sustain Linux would be plain folly. Indeed, there was quite a dramatic pick-up of interest after the IBCS patch showed that the kernel was as capable as any commercial offering, albeit minus a few "Enterprise" features. (IBCS is how Oracle first ran on Linux, as a Linux port didn't exist at the time.) That's when pressure for such extras built up and the itches got scratched.

Similar things could be said of Apache. SGI has contributed much, including a high-performance accelerator that the Apache team rejected. (Interestingly, the next generation of Apache web servers was dramatically slower. Probably coincidental, but pissing off people with the arcane skill in optimizing is never a good idea.)

What of the GNU compiler collection? Well, I'll be generous and not say too much about the disastrous folly that caused EGCS to form, or the equally disastrous failures in Gnu Fortran which resulted in large-scale defections to the G95 project. I'm also deeply concerned about the whole PGCC fiasco (Intel's patches were superb on Intel hardware, great contribution from that perspective, but why the hell was it working worse on non-Intel hardware?), the bit-rot that caused various older compiler back-ends to be dropped from GCC, the huge maintenance problems being faced by people like the D frontend for GCC, and so on. It is superb, it's a magnificent testament to Open Source that GCC is =THE= benchmark to beat by compilers at the Supercomputer conference (you don't benchmark against things considered junk), and it is progressing. However, there is clearly a long history of conflicting egos and conflicting goals that have been as damaging to the product as productive.

And the BSD kernels? Very good development, but again a lot of fragmentation due to clashes. Individuals doing superb work, I'm not going to question the amazing technology that is inside FreeBSD, NetBSD, OpenBSD, DragonflyBSD, or any other *BSD. But there's way way too much bitterness, hostility and rivalry that goes well beyond the spirit of competition. They're all perfectly self-sustaining, I'm not going to even try to dispute that. The developers are highly passionate about what they do and what they do is magnificent. But, frankly, there have been times when I wish someone would slip some Prozac to those guys. The *BSD effort started TWO YEARS before Linux, it should be running the world by now, but it isn't. The kernels are all good, are all worthy equals to Linux, but damnit they had huge chunks already done AND a two year head-start. There shouldn't be any commercial UNIXes any more. Why does Solaris still exist? Why was all of this advantage squandered?

Re:sounds like a decades-out-of-date argument

[micheas]

... And I disagree about a crisis of sustainability. FOSS has not been wildly profitable as a whole. It has not inspired a huge numbers of vibrant projects. For every FireFox there are tens of thousands of projects that never get past a page on source forge.
Even some really good FOSS software just sort of lingers on the fringe. One great project IMHO is DeVeDe which is a super simple and easy to use DVD creation tool.
"I am not the dev but I use it"
Without a clear source of revenue projects will fade.
BTW the problem is getting worse for closed source software. ...

But, neither has closed source software been wildly profitable, as a whole.

over 90% of the wysiwig web page creator tools in the '90s didn't survive until 2000, and most of them never turned a profit, despite VC funding (or maybe because of VC funding), Dreamweaver, and Frontpage are the exceptions, and Frontpage was profitable because it was bought by microsoft.

Re:How?

[Trepidity]

Sounds like basically the name plus some core devs. It's BSD-licensed, so in theory they could've made their own proprietary version without even buying it, but in that case it might've been harder to get any attention or traction, and they might have had difficulty finding people familiar enough with the codebase and willing to write proprietary-licensed additions/extensions.

a sad story

[Lord+Ender]

Metasploit used to have nice GUI and web-based interfaces. Once it was purchased, they were immediately dropped.

Also, a project like Metasploit can't live without community contributions, and we have yet to see if these are sustained. When contributing to a noncommercial open source project, the feel is one of peers collaborating. When contributing to a commercial product, the feel is more like working without a paycheck...

Re:a sad story

[Lord+Ender]

HDM ended support for the GTK and web interfaces when he was purchased. Now, you need to purchase Metasploit Express ( http://www.metasploit.com/express/ ) to get a graphical interface for Metasploit.

Re:a sad story

Not quite - Prior to the 3.2 release, both the main developer for msfweb and the main developer for msfgui dropped out of the project (LMH and Fabrice); We fixed these interfaces up just enough to make them work for 3.2, but they have always been incredibly buggy and crash-prone. The msfweb interface needs an overhaul to be really usable (and we would love for someone in the community to take this on), however the msfgui interface will have to be rewritten from the ground up due to an insane number of crash bugs in the ruby-gnome2 codebase. As the project moved towards 1.9 compatibility, both msfweb and msfgui fell even further behind. We deprecated these interfaces in 3.3, which was immediately after the acquisition, but the acquisition had little to do with the decision to stop trying to maintain these. The main goal of msfweb and msfgui was to support an interactive console on the Windows platform; since we added RXVT/Cygwin to the 3.3.x packaging, it became possible to run msfconsole natively, removing the need to keep hacking msfweb/msfgui to work. The decision really came down to msfweb vs cygwin; with msfgui no longer an option due to the aforementioned crash bugs.

Long-term, we are trying to consolidate all of the interaction into a small number of tools; currently we have msfconsole, msfcli, msfweb, msfgui, msfrpc, and then msfencode+msfpayload. We would like to merge the cli functionality into the console (its buggy with certain module types at the moment), remove msfweb and msfgui until we find a new owner in the community, make msfrpc the standard way to programmatically interact with the framework, and combine msfpayload/msfencode into a single utility.