Nessus Closes Source 394
JBOD writes "As reported at news.com, the makers of the popular security tool Nessus are closing its source code. Although it will will remain free as in beer, Nessus is dropping the GPL license for the upcoming version 3 of the software. The problem appears to be that Tenable Network Security (the company which primary author Renaud Deraison founded around Nessus) isn't making money because it's competition is simply repackaging their product. Deraison's writes "A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our competition, and we want to put an end to that." He also notes that the OSS community has contributed very little to Nessus in the past six years, so they were reaping no benefit from using the GPL." Update: 10/06 22:48 GMT by CN : Nessus' Renaud Deraison wrote me to let me know that the company is "good money-wise," but has become annoyed with competitors repackaging their product.
Re:GPL Kool-aid (Score:5, Insightful)
That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.
I agree, though, they could have written a license that gave other companies the right to reuse the code for non-commercial uses only, and that would have been a better compromise.
thus exploiting a loophole in the GPL. (Score:5, Insightful)
Re:hmm (Score:5, Insightful)
From their indication that they haven't seen any significant help in six years, we can presume that the third possibility is unlikely.
And, of course, old versions will still remain under the GPL (happily).
Re:hmm (Score:5, Insightful)
They cant go "closed source" - they've licensed it under the GPL. Unless they rewrite the app from scratch, or remove any code from parties that havent agreed to the new license... If linus wanted to close-source linux all the sudden, he couldnt do it either.
That's actually not true at all. They still own the code, the GPL is a license, not relinquishing ownership. What they can't do is use any code contributed by anyone outside the company. That code they'll have to re-write since it's licensed under the GPL and doesn't belong to them.
And obviously, the existing version cant be relicensed either. The latest release under the GPL is stuck there from now until forever.
They can't relinquish the license of course. Anyone that wants to take that code and maintain it themselves is obviously free to do so.
Re:GPL Kool-aid (Score:1, Insightful)
I applaud Tenable Security for making a decision to support a business model that works instead of one that doesn't.
Selling or Renting Appliances? (Score:3, Insightful)
I don't buy this as a reason, mind- because the people in question are still infringing and making it free as in beer won't change the situation any more than it is now. You have to go after them for their infringements- licenses don't change this. If it were the case, MS (or any other BSA members, for that matter) wouldn't be so worried about piracy of their products...
They haven't learnt the lesson (Score:2, Insightful)
Well, I just assume the same will happen with nessus, except if there is no interest in nessus when there was on an X server.
Re:hmm (Score:3, Insightful)
No, the GPL is a license with which a copyright owner can enforce their copyright on said code.
Re:You do not get Open Source. (Score:2, Insightful)
From their perspective? (Score:5, Insightful)
Or is everyone scared that all the "You can't actually make money with GPL" rumours are true (especially for small start-ups)? ;)
The choice was probably about cost... (Score:5, Insightful)
Choice 2) Close source code.
Seems to make sense to me...
Re:GPL Kool-aid (Score:1, Insightful)
Let's look at a better compromise in terms of the _actual_ goals of the GPL:
1) keep the CVS repository to yourself
2) never give out the software for free, EVER
3) primarily provide the software as part of a larger turn-key system
4) keep the GPL license
This means that no matter what, their competition is ALWAYS a step behind them release-wise. It also means that their competition is a paying customer. This means, if the ripper-offers are still causing them trouble, they can just up the price -- after all, it would wind up that the ripper-offers would be the ones paying, not the end customers, so they would be paying for development, not software.
Basically, it is not free-software nor the GPL to blame necessarily, but free software done stupidly.
Re:GPL Kool-aid (Score:5, Insightful)
The FSF says nothing about the GPL and community giveback. It says only that the GPL exists to give users freedoms to use and modify software. Indeed, "The freedom to use a program means the freedom for any kind of person or organization to use it on any kind of computer system, for any kind of overall job, and without being required to communicate subsequently with the developer or any other specific entity." (emphasis mine)
Re:Maybe an OSS future isn't that bright afterall (Score:1, Insightful)
Typical Slashdot BS at it's finest.
Re:Maybe an OSS future isn't that bright afterall (Score:3, Insightful)
Welcome to a disruptive technology. Guess what? New things happen. Things are invented. Trends happen. People go out of business because the business model they rely on is made irrelevant. That's how a free market works.
The CD-ROM put encyclopedia salesmen out of business. We could apply your same argument: "It's funny how building a family changes your perspective on cheap mass storage. I like mass storage, but it's never going to win in the long run, because encyclopedia salesmen have families to support and will not slit the throat of the goose that lays the golden eggs that pay the bills and support one's spouse and children."
Guess what? They didn't slit the goose's throat. Someone else did, and put them all out of business. Technology happens. Trends happen. People go out of business. That's how a free market works.
If you're in a business that relies on software sales right now, and they're not looking at becoming a service-oriented company, start making your exit plans now. You may not have to use them for a few years, but software is simply becoming a commodity market. The big-bucks-for-trivial-software cash cow is already dying.
Microsoft is starting to get nervous themselves. Google is the next-generation; they've already found the trend, they're already there. Microsoft is like the RIAA; screaming and throwing tantrums because they're seeing their hold on the market diminish.
Oracle, Sun, IBM, etc. are all becoming service-oriented. Buy servers and service from IBM, Oracle, Sun, etc. Oracle still has ridiculous licensing fees, but they also have ridiculous consulting fees, and there's a whole market for DBAs, consultants, and DB programmers. And since when was Sun ever a software company?
Where have you been? TurboTax is already moving on. (I don't know about Quicken.) The software is essentially the same, but the laws, the rules, the numbers change every year. This is what people pay for, or they'd not bother upgrading in the first place!
OSS problem admitted (Score:3, Insightful)
Most people understand this principle. But the OSS activists seem to believe that smart developers can donate forever and should be totally selfless. Why is it only the developers? Developers who spent many years of their lives learning to be experts at their complex trade (programming) are expected to donate. Yet the typical help-desk types are "allowed" to charge for their consulting services when they pop a CD in a drive and install the OSS software for a client.
I'll admit, I'm a software developer. But, I know OSS activist guys who charge companies $100/hr consulting fees to implement OSS solutions that they don't pay a dime for. These guys are walking in to a firm, spending a day setting up a PHP server (or whatever) and walking out with a fat-ass paycheck.
But when a developer wants to charge for the software he writes the OSS community of activists starts hissing at him and brand him with some sort of corporate greed type crap.
Can somebody please explain this OSS-mentality inconsistency????
Re:GPL Considered Dangerous? (Score:2, Insightful)
Re:Maybe an OSS future isn't that bright afterall (Score:3, Insightful)
The money is made in doing custom modifications of the software.
Anyway, nothing prevents FOSS and proprietary software, sans software patents, from coexisting stabily.
The GPL isn't necessarily the best license for all software, as well. Non-commercial use/commercial dual licensing might have been better for the project.
Re: thus exploiting a loophole in the GPL. (Score:3, Insightful)
The GPL can prevent vendor lock-in because people can study the code and resolve compatibility issues if any.
Not in the sense that anyone can pick up the code and be a competitor - although it is also permitted under the GPL, it is not what prevents vendor lock-in.
open source killer (Score:4, Insightful)
Nessus is not the first, and not the last. Even Hans Reiser has this problem:
See here... [kerneltrap.org] Hans Reiser: Doing GPL work is doing charity work [...] That should be and could be changed, but for now it is so. I have done my share of charity, and I would not have a problem doing proprietary work. I think people should keep their lives in balance, and that includes balancing charity work and better paid work.
Here is another: Mute file sharing [sourceforge.net]. Not sure how long this experiment will last.
And one more: Daniel Robbins founded Gentoo linux, went bankrupt, got job at Microsoft [gentoo.org]
Either help these programmers feed themselves and their families, or expect other big and large profile projects to disappear and become pay-for-play.
I love open source, and contribute money to many projects -- but open source will just prove to be a fad that will start to wear thin on programmers as they get into debt and can't feed their families. The business case for open source software longterm survival is weak, unforunately.
m
Re:hmm (Score:3, Insightful)
hum.. isnt that exactly what i just said? "remove any code from parties that havent agreed to the new license"..
You also said in your first sentence that they couldn't go closed source, and compared the product to linux. That makes it sound like you're trying to say they can't do it, or it'd be very difficult to do. The big difference is they've said there hasn't been many contributions to Nessus by anyone outside of Nessus. This makes it very easy to rip out those sections that they don't own.
Re:GPL Kool-aid (Score:5, Insightful)
These guys did a wonderful job. Six years contributing to software that was obviously so good that other people could make money off it. Its one thing to work on an open source project in your spare time, or to be employed by one of the few companies that can leverage free software to make money, but these guys aren't. So unless you are working on the kernel, on samba or one of maybe a dozen other projects, you can't give up your day job.
Maybe by closing the source, one of their competitors will buy them out and they will have enough money to live on and write open source code. Rather than berating these guys for leaving the fold, thank them profusely for the six years of hard work.
If you don't like it, fork it. Once GPLed, always GPLed, and only V3 and above is going closed.
Re:nessus is dead, long live gnessus? (Score:4, Insightful)
A developer who wants community involvement really has a lot going against him. There are only a handful of Linuxes, Mozillas, and KDEs, out of the hundreds of thousands of OSS projects out there. Probably only a single-digit percentage of OSS projects get any significant community help. To get in that percentile, you have to have an interesting, high-profile project AND be VERY good at drumming up support.
Properly stated, there's a third possible interpretation of a successful fork: the maintainers were doing a fine and dandy job and no one from the community had an itch to scratch, until the gravy train stopped.
Re:GPL Kool-aid (Score:4, Insightful)
Their call that using devices is a GPL loophole is pure BS. If somebody sells a device with the software and does not make any changes then they are entitled to that. If they change the sources then the sources have to be made available and I am sure that they did. The point is that somebody was clever enough to create a device that maybe they should have in the first place!
Here is a question, if the person's competition was making money on GPL, why couldn't he? Oh yeah he wanted to sell software and only sell software! Here's my prediction, that he will bankrupt himself after close-sourcing the software and blame it on the Open Source community!
The community didn't give anything back? (Score:1, Insightful)
One of the most neglected aspects of contributions from the community is the advertising an application gets. Does anyone seriously think BitKeeper would have gotten to where it is commercially if it wasn't used for the Linux kernel?
Re:Maybe an OSS future isn't that bright afterall (Score:3, Insightful)
Re:The choice was probably about cost... (Score:3, Insightful)
Honestly, when the source is equal, what did he really think would set his product apart from the competition? His only advantage is that he wrote it. Thats not a technical advantage since he GPLed it. But it sure is a marketing and support advantage.
The flaw is not in the GPL but in his business plan that did not match the fact that he was GPLing his code.
It's a legit gripe though (Score:4, Insightful)
The GPL does create problems for commercial viability in many cases. You spend tons of time and money developing something, others then market the solutions for it, you get squat in return. This is a problem. The "Well make money selling support" argument doesn't work when others are selling the support better than you can.
Now, perhaps you are inclined to think this is fine. They are better at it, so they should make the money right? Except the only reason they can, is that you put in the up front investemant to actually make the software.
What this will lead to is people deciding that open source is not the way to go, or at least GPL-style open source. If it just leads to other people making money off of your hard work, it'll really turn people off to it.
Re:hmm (Score:1, Insightful)
I don't know, use a software disassembler? IDA Pro? SoftIce? Something like that?
Re:The choice was probably about cost... (Score:2, Insightful)
Somebody didn't learn to read. He *can't* make his produce better than the competition, because the competition *is* his product!!! Because nobody was chipping in to help, he was spending his time writing the core of somebody else's application for them.
Re:Considering that... (Score:3, Insightful)
You obviously missed the above article, it lists a few companies that make money purely with GPL'd/OSS software. The include SugarCRM, MySQL, and many others. These companies were once startups (and some would still be considered startups). They are largely pure software development plays (IE they don't sell appliances/hardware).
The article mentions that MySQL AB will make 40 million this year. That's pretty good. SugarCRM has raised something like 7 million in capital (obviously this isn't making money, but someone believes they have a chance to make money.. VCs might not be brilliant, but they do try to make good investments).
Obviously these are the success stories, on average 1 in 5 companies makes it through the first year, and only a handful of those make it to 5 years. Those are statistics across all industries, you can't expect OSS companies to be impervious to those stats. Startups fail, business models fail, regardless of the state of the source.
Speak to a lawyer (Score:1, Insightful)
Re:Maybe an OSS future isn't that bright afterall (Score:3, Insightful)
If you think that the driving force for the software industry is the need for developers to make money you need to go back to school.
Everybody needs to make money, and yet industries come and go.
Re:Fair enough (Score:2, Insightful)
But exploiting those few lines of codes would make you an asshole, can you say SCO?
Re:The choice was probably about cost... (Score:3, Insightful)
Let us assume this is the case, then you've only got the quality of your code and your extra features over the competition. Oh wait, they're USING YOUR CODE!
Hmmm, suddenly, there is pretty near zero differentiation. Oh wait, you are trying to pay for having invested the time and money to write it. They are not. So there is a differentiation. In their favour!
No, I can see why they'd want to go back closed source. Open source is no panacea. It has some excellent products, but integration with for-profit corporate ops can lead to a lot of unfortunate results.
Re:open source killer (Score:3, Insightful)
The problem is not the GPL, or free software, the problem is one company with a business model that didn't work.
Saying that a piece or software can't be good unless you throw money at it is just ridiculous.
I'm familiar with the Mute project but I don't use it. Still, I'd like to buy the guy a beer if I ever get a chance, his ideas are quite interesting. You can tell he's doing it because he believes it in, not to get rich.
Either help these programmers feed themselves and their families, or expect other big and large profile projects to disappear and become pay-for-play.
You completely miss one of the great things about free software:
A project doesn't disappear, it just becomes inactive. At any moment, whoever wants can step in and take over.
Did you ever think that maybe these guys were having trouble because their "for money" offerings were more expensive than their competitiors and maybe in general their planning to make money wasn't so good?
There are a bunch of different ways to make money doing free software: consulting, a bounty system, providing automatic maintence with rigorously tested updates, etc. It just sounds like the "Charging 100% more than your competitors for software with a free version avaible" business model doesn't work.
Anyways, giving examples of people who didn't make it doesn't show much. One could do the same for anything. Meanwhile there ARE people who succeed at making free software their livlihood.
One idea I consider interesting would be an organization set up specfically to make deals between programmers and businesses. A group of business would agree to fund software written to a specification, programmers would be paid to write it, and the end product would be GPL'ed, guaranteeing each company both the freedom to maintain and the freedom to modify the software, with no fear of extortionary liscense costs down the road. The organization would take a comission to cover its costs administrating the deal.
Re:Moral of this Story and Nmap Response (Score:5, Insightful)
Fyodor, what can those of us out here do to help make that a possibility? One of my common frustrations is that much of the open source community thinks at a very low level and rejects broader perspectives because the initiators of the projects are often exceptional programmers (at the expense of not being exceptional documentation writers, analysts, managers, communicators, etc.). Some will want to shoot me for saying it, but every technology project needs a hell of a lot more than software developers to make it go. A project needs the help of great documentation writers, testers, managers, analysts, evangelists, etc. to make it, and more importantly, needs to have a culture of taking criticism and evaluating it objectively in order to have a chance at success.
Nessus's rejection of a system vulnerability database was unfortunate but not unexpected - I smell a VC in a room with a bunch of programmers (and nothing in between), plus a bunch of sensitive "Not Invented Here" egos. Nessus needed to integrate with its user community because its success was very dependent upon their feedback. Nmap has succeeded perhaps because it is a more concise tool with a focused objective and I've seen you take feedback out there and honestly respond to it.
I agree that this is not a good trend, and the question is how to reverse it.
Success in the open source community is still a rather unpredictable, undocumented (and too often, unrepeatable) event. Successful projects like nmap have happened through their founder's exceptional ability in demonstrating more than just coding ability, yet the community does little to document, educate and communicate this aspect. Projects tend to continue to make the same mistakes. Perhaps a start would be a FAQ on successful open source project methodologies that explains that brilliant code is only one of a dozen components required for success and details the others - perhaps building upon the best practices of the community's successful projects? If Nessus and others are to make it as viable open source, we need to build upon the understanding that it takes more than great code to succeed.
*scoove*
Re:GPL Considered Dangerous? (Score:5, Insightful)
Is it just me, or is this bafflingly ambiguous? I'm sure if I read the whole thing it would be clear, but I have no idea what that sentence is trying to say. I'll just stick with BSD for now.
Re:Well, this has been coming for some time... (Score:3, Insightful)
But the code was released under the GPL. The 'competitors' merely manufactured a device that (legitimately) included a copy of code made available under the GPL.
What's wrong with that?
Nothing, under the terms of the present GPL, hence I didn't say that competitors had "abused the license" or whatever. However, Nessus has been one of the most shamelessly exploited GPLed projects, and it that respect, it abuses Renaud's generosity.
By 'shamelessly exploited' I refer to the hordes of so-called "penetration testers" whose business model consists of little more than a) downloading a copy of Nessus b) whining on the mailing lists when they can't get it built c) eventually getting it built and working e) charging their customers large sums to run scans f) sending their customers virtually unaltered Nessus reports, often unchecked g) neglecting to give anything at all (be it money, or code, or even su) to the Nessus project. The present GPL doesn't require them to do anything more than that, but you'd kind of hope that ethics would dictate that they would. And if not ethics, then maybe a rather less short-sighted view of the necessity of certain bits of software to their business model.
Re:GPL Kool-aid (Score:3, Insightful)
Oh yeah he wanted to sell software and only sell software!
That's always been one of my points. If I wanted to sell T-shirts and tote bags, I'd already be doing that. If I wanted to be a consultant, I'd already be doing that. If I wanted to repackage commoditized software like the IT equivalent of a bottled water company, I'd already be doing that.
I never wanted to do any of those things. I always wanted to sell software, so I'm hooked up with a company that does that, none of it's Open Source, and I'm quite happy. Oh, and might I add that thew new Slashdot CSS business is a piece of crap--I can't even preview this post properly because my text is layered on top of the parent post! Do I want to wade through Slashcode? Hell no! That's not freedom. That's Slashdot's job.