Nessus 3.0 to abandon GPL licensing (NewsForge) [LWN.net]

Nessus 3.0 to abandon GPL licensing (NewsForge)

Posted Oct 7, 2005 15:03 UTC (Fri) by vmole (subscriber, #111) [Link]

No, it's not a "loophole", it's an intended effect. The whole point of the GPL is that the receiver can do whatever they want with it, except distribute it without source. The position that it's a "loophole" is equivalent to Red Hat arguing that Suse's use of rpm (the program, not the format) is somehow a "loophole". Basically, Renaud wants the appearance of Free Software, but to actually be proprietary.

Not that Renaud can't take his source code proprietary (assuming nobody else holds copyright on the affected code), but pretending that he's been somehow cheated is bogus.

Actually there is a loophole

Posted Oct 7, 2005 16:40 UTC (Fri) by AnswerGuy (subscriber, #1256) [Link]

If I fork your product, make my own changes, refuse to release them and
refrain from re-distributing the software then I can still provide a
service using that GPL'd software with my closed-source extensions.

This has been a concern among GPL advocates for several years and emerging
AJAX programming techniques are making it significantly more feasible for
a broader class of applications.

However, I think the problem with Nessus has been that the principle
maintainers are feeling a financial pinch and giving up. It will ultimately
result in a fork from the last free version and Nessus3 will probably wither
away. It happens. It's happened before and it will happen again.

JimD

Nessus 3.0 to abandon GPL licensing (NewsForge)

Posted Oct 7, 2005 20:26 UTC (Fri) by meffie (guest, #3120) [Link]

"A number of companies are _using_ the source code against us, by selling or renting appliances,"

Uh? By "_using_ the source code against us", does he mean people are distributing the code, and he'd rather they not? If so, why did they choose the GPL in the first place?

Using Against Us

Posted Oct 7, 2005 21:27 UTC (Fri) by AnswerGuy (subscriber, #1256) [Link]

Presumably he means that they are downloading the Nessus sources, adding
their own closed source stuff and reselling the result AS A SERVICE
(not redistributing the software, just charging for the results of
running from their hosts).

That's the "loop hole" to which people have referred in this thread.

JimD

Using Against Us

Posted Oct 10, 2005 8:46 UTC (Mon) by jamesh (subscriber, #1159) [Link]

Surely "selling or renting appliances" would count as distribution though, right?

Assuming that the competing vendors are complying with the GPL, perhaps he is annoyed at them not prominantly advertising that they use Nessus inside the appliance.

Selling, Probably, Renting ...???

Posted Oct 15, 2005 19:03 UTC (Sat) by AnswerGuy (subscriber, #1256) [Link]

If I sell you the appliance and it incorporates the GPL code; certainly. If I "rent" it to you; well that depends on how the contract is worded. If I provide a "service" to you which happens to allow you to access it, perhaps even includes the delivery of the equipment to you for your access to it ... and if I sell you a piece of equipment, with a free OS and some free utilities on it (such as Spamassassin and ClamAV or whatever) and then I separately provide a "service" which entails my accessing the device I sold you and running some software on it. Software which I'm running as part of my service but which I don't distribute to you.

Of course this is all splitting hairs. It's likely that some of these machinations could be viewed as actions in bad faith and held to be violations of the GPL. However, that could entail a lengthy and expensive court case to prove.

My point is simple: they have a point in their assessment. For their particular niche the free software model was not compatible with their business model. Personally I think they had the wrong business model, or at least the wrong plan. They seem to have been ineffective and capitalizing on their role as the creators and maintainers of the core scanning engine (poor marketing and sales). So companies with better marketing and sales (albeit less legitimate involvement in the core project) seem to have been able to compete more effectively.

It could also be that these people had unreasonable expectations of how they would or should be rewarded for their efforts. Perhaps they hoped to make a few quick million each in some aquisition of their business. They may not have truly understood that VC funding and M&A activity is not a reward for past accomplishments; it's investment in potential future returns. In other words it matters very little how good your product is. What really matters in investment funding is how big your market is (and how well the investors feel that you can capitalize into that market).

Anyway, the result is likely to be a fork from the last free version of the code; and the development of a newer, better scanner from that fork. The Nessus maintainers have raised the hackles of a segment within the free software community and will probably have spurred more activity from them than anything they could have accomplished through less controversial and more congenial means. Sometimes, to motivate people, you really do have to piss them off. (Which is not to say that I personally approve of it as a deliberate technique; I would generally choose to let them remain unmotivated rather than deliberately manipulate there emotions or I'd take my own actions for my own reasons even if acrimony was the likely side effect. Perhaps that's what they've done as well).

JimD

Lack of community _need_ or a failure to co* properly?

Posted Oct 10, 2005 8:21 UTC (Mon) by gvy (guest, #11981) [Link]

Seems like he either didn't grok the trick, or tries to look so even if he did but didn't like the result _applied to them_.

Samba began as a personal, then community effort; quite a few T1 vendors are now participating in the development, someone has called the process with a word that's a hybrid between either "cooperation" or "collaboration" and "competition" (don't remember exactly). And it's highly successful.

Maybe it's just because it's more sane in an open environment to devote resources to updates and not to more or less silly or complicated scanners that would still think "apache 1.3.27 is vulnerable" even if the patch to fix some particular problem _was_ applied in a fix package? Proper testing involves actual attempts to break in, a security scanner is no exclusion from this rule to me.

So... could it have been something reactive like A/V software and not proactive at all and thus not *really* interesting? I don't know either the authors' business or their competition offerings to tell and, frankly, don't really care.

But as an illustration to grokking the competitive collaboration, seems like a nice counter-example ("what-not").