Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses Software

Nessus 3.0 discussed 131

An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."
This discussion has been archived. No new comments can be posted.

Nessus 3.0 discussed

Comments Filter:
  • GPL resistance? (Score:4, Interesting)

    by dada21 ( 163177 ) * <adam.dada@gmail.com> on Saturday November 26, 2005 @04:39PM (#14120285) Homepage Journal
    What is the primarily reason that corporate policy precludes using GPL'd software? I thought the friction was reduced in the most recent GPL version. Is this being addressed in the next GPL?

    I know some consider it broke, but Nessus is fairly popular, and the GPL resistance seems a key reason for going closed source.
    • Re:GPL resistance? (Score:4, Informative)

      by fpu ( 96469 ) on Saturday November 26, 2005 @04:58PM (#14120350) Homepage

      Fyodor (author of NMAP [insecure.org]) posted about Nessus going closed source [seclists.org] in the nmap-hackers mailing list some weeks ago. It seems that Teenable's main point is not GPL-resistance from the enterprise customers, but rather the fact that there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors. I, for one, can see their point, even if I am a strong advocate of free software (free as in FSF, not OSF).

      However, as has already been stated, that does not mean this is the end of free Nessus -- it will still be free, except we no longer will be able to look under the hood. Since many of us automate Nessus directly through the command line client and parsing of NBE files, I believe that this will impact very little even power users.

      • Re:GPL resistance? (Score:4, Interesting)

        by Master of Transhuman ( 597628 ) on Saturday November 26, 2005 @05:35PM (#14120503) Homepage
        "there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors"

        First, the two points are independent.

        And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project? That's irrelevant to anything. Naturally, due to the nature of the concept of OSS, it would be BETTER if a community of developers appears and supports the project - that's the advantage of OSS over proprietary. But it's not a requirement per se. In fact, however, it usually indicates that there is a REASON for this - which might be how the project is run, the technical difficulty of the project, the niche market for the project, or any number of things - some of which might be solvable, some may not.

        The second point is just a refutation of the concept of OSS: instead of trying to make money from support or other business models using OSS, just dump the concept and go back to being proprietary. It's NOT A REASON, it's a CHOICE!

        And again, it goes back to the what and how of the project. Does Linus complain that Sun uses Linux while producing OpenSolaris - arguably a "competitor"? Granted, Linus doesn't view himself as a "competitor" in business against Sun - he's simply a developer who wants to advance the state of the art in OS building.

        The problem is, the Nessus guy does view himself as a competitor in a closed market. He wants to use Nessus to produce other security software and sell it. He views everybody else who uses Nessus to produce other security software to sell as "competitors". Well, they are - if that's your business model.

        It's an issue of perception, however, not necessarily reality. It's also an issue of whether you feel you can BE competitive on a level playing field - obviously this guy doesn't.

        That doesn't make his choice the right one - it's just his choice. I think it will cost him in the future.

        Open source doesn't mean you don't have competitors. Every project stands or falls on its merits in the marketplace of ideas. That's why we have something like a thousand Linux distros - most of which are utterly irrelevant to most users and utterly irrelevant to the position of Linux in the marketplace of users.

        And open source as a SOURCE of business models is not different. The question is whether you can develop a business model that allows you to make money - or even get "rich" (whatever "rich" means to you), if you're smart enough - and that's really not relevant to open source as a development model.

        Some people deride open source as a bunch of geeks working for free while somebody else gets rich off their efforts. While this may in fact happen on occasion, it isn't a direct consequence of the OSS development model.
        The only place where it might be an issue is in developing something that can be seized on by a company like Microsoft which ALREADY has an monopoly position due to its closed source model and its business practices and then turned against the OSS developer. The GPL was intended to prevent this by disallowing the incorporation of OSS software into a proprietary product and closing off access to the source.

        But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product. The OSS COMMUNITY says that you SHOULD return value to the original OSS product. But that doesn't always happen, nor should it always happen.

        If you develop an OSS product, and try to make a business out of it, you should be smart enough to assume that other people will take your product and try to develop a business around it as well - and conduct yourself accordingly. If you believe in the OSS model, you can find ways to continue to develop using that model and still compete effectively.

        The Nessus guy just doesn't believe in the OSS model, it's that simple.
        • Re:GPL resistance? (Score:3, Insightful)

          by rxmd ( 205533 )

          And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project?

          I guess the project developer certainly does.

          But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product.

          If I understand correctly, the competition wasn't exactly from competing OSS projects, rather from companies providing services around the system that he built. In effect, he had a hard time comp


          • While I agree that OSS should be a two-way street, it doesn't require EVERYBODY using an OSS product to contribute to the project.

            The idea that all users should be developers is nonsense. "Contributors", perhaps - "Here's a feature we'd like you to provide" - but even there, some people may use a product and be perfectly happy with what it does and not need anything else.

            You can't say they can't use it just because they don't contribute to the project. That's just making a contract law substitution for a m
            • Re:GPL resistance? (Score:3, Insightful)

              by LurkerXXX ( 667952 )
              So he closes the source? So what? Just because he speeds up Nessus by a factor of five, does he think no one else will? If somebody forks version 2 and speeds it up by 5, his competitors can use that version to continue to compete with him. It's totally irrelevant whether the source is closed or not in that regard.

              It certainly is relevant. Now his competitors have to put in the effort to try to figure out how to speed it up by 5 and spend a LOT of their time coding. That puts it on a much more even lev


              • Not necessarily. His competitors in the SUPPORT business don't need to do anything. They can just wait for another set of OSS developers to fork the project, build in the speed improvement (you think they can't figure out how to do that from the existing code - or by reverse-engineering the new binary?), and then the support competitors can go right back to competing with him again on a level playing field.

                The worst that can happen to his support competitors is that they lose market share by having to wait
                • Your making a big assumption that another set of OSS developers WILL fork the project and continue development of it. Sourceforge is littered with dead projects that the original creators have stopped working on, and no one else had touched the code. FOR YEARS!

                  Even if some OSS deveopers do pick it up. Your making another huge assumption that they will be as good of coders as the original developer, and work on it as hard as someone who's trying to base his living on it.

                  His failure to compete is beca

                  • "His failure to compete is because he has to do two things, develop the code AND support it, while his competitors only have to do one thing. Support it."

                    How is this different from any other closed source company? They have to develop and support, too, and their competitors in the SUPPORT business only have to support.

                    Entire classes of VARs exist that do just that.

                    And saying "support" means customization of the code, as some people here have said, is just a red herring. It doesn't. It merely means you known
            • When a developer goes OSS, one of the common motivations is to foster the creation of a community around the project, and I'd say lifting the development burden is secondary while a very nice side effect. So when the community doesn't materialize, or meet the expectations of the principle creator, then it is full justifiable to an alternative project model take shape.

              Not to seem rude, but you write like a self-serving ego centric user, and we developers don't have to please you. You are the lowest form of l

              • I said nothing about "expecting to roll forward without any contributions". I said it is not required for everybody who is a user to be a contributor, nor is it required that a community develop to BE an OSS project.

                And where did I ever mention moving to closed source as better for the species than OSS?

                Are you sure you're responding to the right post? If not, get a clue.
      • I am a strong advocate of free software (free as in FSF, not OSF).

        However, as has already been stated, that does not mean this is the end of free Nessus -- it will still be free, except we no longer will be able to look under the hood.

        You are an advocate of free, as in FSF, software and you still consider software free in any meaningful way when you no longer can look under the hood? I think you need to learn a bit more about what the Free Software Foundation stands for.

  • Hold your horses (Score:3, Informative)

    by xfletch ( 623022 ) on Saturday November 26, 2005 @04:39PM (#14120289) Homepage
    Before the open source hordes come rampaging it is worth noting that Nessus is still free.

    Nessus 3 will be free of charge for end users or service providers or consultants to do whatever they want with it, except put it into a product or re-brand it as their own software.

    They are looking to make money on their support of the product, which is a well astablished model.

    • Re: (Score:1, Insightful)

      Comment removed based on user account deletion
      • FUD!

        I would much rather a sercurity app be F/OSS so I *can* see all of the code and spot possible vulnerabilities myself. Of course that is dismissing hte fact that, according to TFA most people are not coders and not contributing to the code, still, as far as security by obscurity goes, that never works out, just look at Microsoft...
    • by Kjella ( 173770 ) on Saturday November 26, 2005 @04:57PM (#14120345) Homepage
      They are looking to make money on their support of the product, which is a well astablished model.

      And fully possible without closing the source. The name can be protected by trademark, and people will rather have the developers supporting it than someone else. Besides, there is no reason to assume it will continue to be free. Basicly, it's no longer an OSS project, it's freeware given away by a business. Been there, in general rarely been happy with it. Expect NessusPlus for $$$ soon.
      • Re:Hold your horses (Score:3, Informative)

        by paranode ( 671698 )
        Yeah but they closed the source because competitors were getting all of the fruits of their development for absolutely nothing. Once you move out of the 'useful little app' phase and into something that people are seriously interested in for the large scale, it's time to reconsider giving your product away for free so somebody else can make money off of it. Most people would call this success though I guess the grumpy OSS zealots hate to see 'free' software developers actually get paid for their work.
        • It seems like they've modeled their company the same way as a closed-source software development shop, and it's not working out using the GPL, so they're closing the source. I can't imagine why it didn't work. (sarcastic)

          Think about it. Let's say Microsoft creates some tool, and develops it in house. They open the source under the GPL. Would you volunteer your time to help a company like Microsoft further develop their software? Sure, it's GPL, and so you can do whatever you want with it, but it's st
        • Yeah but they closed the source because competitors were getting all of the fruits of their development for absolutely nothing. Once you move out of the 'useful little app' phase and into something that people are seriously interested in for the large scale, it's time to reconsider giving your product away for free so somebody else can make money off of it. Most people would call this success though I guess the grumpy OSS zealots hate to see 'free' software developers actually get paid for their work.

          No, it
      • Re:Hold your horses (Score:3, Informative)

        by Sancho ( 17056 )
        As I understand it, the company was getting no return on the GPL investment. That is, they weren't receiving many, if any, patches from their users. And what's worse, their competitors were taking their ideas and innovations and using them in their own products.

        I like having the source available to me, but some people aren't in it for the humanitarian aspect. The owners saw no benefit for releasing the code under the GPL and were having some detremints, so they stopped.
        • As I understand it, the company was getting no return on the GPL investment. That is, they weren't receiving many, if any, patches from their users.
          There are other ways of getting return of being GPL other than having patches. I'm sure that a lot, if not all of its popularity was due to Nessus being a good GPL project.

          Now that it has dropped the GPL part, I predict it will lose a lot of popularity too.
      • Do you honestly think that most people would pay $500 for a product that can be acquired for $25 if rebranded? Yes, many people would rather support the developers, but they'd also rather save a lot of money. In the end, if it saves a lot of money, people will tend to opt for the rebranded knock off.
        • "Do you honestly think that most people would pay $500 for a product that can be acquired for $25 if rebranded?"

          Yes, I do. I also think that there's evidence that asserts exactly this. If your assertion were true, then CentOS (free, re-packaged RHEL) would be one of the most popular server distros in the corporate world. It's not.

          RedHat is a very profitable company because they see beyond the logical fallacy in your statement. You beg the question that people pay for software, not the services provided

      • And what would be so wrong with NessusPlus for $$$? It is a company. They DO have to pay the bills. There were getting VERY LITTLE outside help from other developers. I say go for it. It is and has been an excellent product and I'm sure we'll get nothing less on the quality side in the future, be it free or for money. I for one would buy their product if they decided to sell a Plus version and would still use their free version as well just to give them a bit more support. I'm a LOUSY programmer for the mos

    • They are looking to make money on their support of the product, which is a well astablished model.

      Although still free many will choose not to run the newer version without the source. The reason is simple, security. With the source code being open it can be reviewed. First, the contribututor and then the approver and if needed, by yourself.


    • At the moment, I'm not saying that's not a good thing. It's good that the new version of Nessus will still be free (albeit with restrictions.) And of course there's nothing wrong with charging for support - that's not even an issue here.

      I'm just saying the guy doesn't accept the OSS model anymore.

      That's fine, but his reasons aren't reasons - they're either irrelevant or simply a refutation of the OSS model per se.
  • by lampiaio ( 848018 ) on Saturday November 26, 2005 @04:41PM (#14120291)
    Wikipedia entry [wikipedia.org]
    Official Website [nessus.org]

    sorry, bad karma makes people do this kind of post...
    :(
  • by Anonymous Coward on Saturday November 26, 2005 @04:46PM (#14120311)
    You own the project. You can decide whether it's open source or not.

    However, some questions:

    1. Can someone more familiar with the licensing process elaborate on the pandora's box here?

    Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your hands and goes into the archive... Imagine: "All your work becomes property of our CVS tree and cannot be returned if the tree becomes closed."

    2. Why wouldn't they just keep the CVS tree accessible by main developers and give only those important people commit access?

    Like pretty much any large project (*BSD, Linux kernel) does? Yep, I know -- they make it so those without such access cannot check out code just to see if they want to be part of the project in the first place. But could they be convinced if enough people show interest? I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.

    3. How long until we see OpenNessus or (insert clever derivative name here)?

    Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.

    Just curious.
    • http://it.slashdot.org/article.pl?sid=05/10/06/185 3248&from=rss [slashdot.org]

      "you are a code contributor who in **good faith** contributed a patch or entire modules"
      br it seems that there were not many contributions by the OSS community anyways. they've been GPL for SIX years w/ little support from those who know how to program. shame on us, i guess. --iggy
      • If there are *any* then they have to contact the authors and get permission or remove the code.

        Even if it's a single line if it's contributed under GPL it remains GPL unless the original author decides to relicense it (although it'd be difficult to prove a single line GPL violation in court, and most wouldn't bother).

        Changing OSS project licenses is a difficult job, and for some projects may not even be possible short of a complete rewrite.
    • by eht ( 8912 )
      1. Many open source projects require you to transfer copyright of any submitted code to them, not to sublicense it to them under your choice of code.

      MySQL for example will license you their source in either GPL or non-GPL varieties so that you can incorporate it into your software to resell and not provide a license, they can dual license because they own all the code, they could not dual license if someone had submitted code under the GPL to them.

      They also seem to have not had very many people contribute b

      • I don't see how the next version of the GPL can "close" that "hole". And if it does, we're likely to see more proliferation of licenses than we have to date.

        The idea that providing support for an OSS project independently of the project is against the OSS concept is just nonsense. The GPL is intended to insure access to source code and prevent that source code from being appropriated by proprietary companies and closed. Nothing more. It says nothing and should say nothing about how money is made around OSS.
      • by xant ( 99438 )
        Anyone can support Nessus whether they own the code or not. They can't fix bugs in it, but that's not what support is really about. Support consulting is mostly "help us set this up" or "help us customize this". Although I've never used Nessus, I suspect it's highly configurable and customizable, as are most products that have any features meaningful to "support". The company has achieved nothing by this move, and Nessus will probably become much less popular because of it, until an open source replacem
        • Anyone can support Nessus whether they own the code or not. They can't fix bugs in it, but that's not what support is really about. Support consulting is mostly "help us set this up" or "help us customize this" [...]

          If by "own[ing] the code" you mean holding the copyright to the code, your first sentence is quite right—free software allows users the freedom to support the program without holding the copyright to the program. What passes for support is often instruction on how to use a program.


        • Agreed. And my prediction exactly. Tenable has cut its own throat.

          They've blamed the wrong thing for their failure to date - which guarantees greater failure in the future. Classic bad management.
    • Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it?

      If the project is (L)GPL and you contributed under the GPL, they can't close the source.

      If the project is, say, MIT, X11, or BSD licensed, and you contributed under one of those licenses, then they can.

      I guess that's the problem -- too many users, not enough developers or users with enough motivat
    • > Imagine that you are a code contributor who in **good faith** > contributed a patch or entire modules under the assumption that such > contributions were going to be under that open source license. Now > that the company pulls the source and closes it down, does that mean > they took your work and will use it for their closed source purposes > without your consent? Absolutely not. If you contributed a whole module or file, you own the copyright for it (unless you transfered the copyrigh
    • > Imagine that you are a code contributor who in **good faith**
      > contributed a patch or entire modules under the assumption that such
      > contributions were going to be under that open source license. Now
      > that the company pulls the source and closes it down, does that mean
      > they took your work and will use it for their closed source purposes
      > without your consent?

      Absolutely not. If you contributed a whole module or file, you own the copyright for it (unless you transfered the copyright to th
    • by m50d ( 797211 )
      Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your han
  • by TechnoGuyRob ( 926031 ) on Saturday November 26, 2005 @04:49PM (#14120320) Homepage
    ...that as technology grows more and more sophisticated, companies will start outsourcing more and more. It used to be affordable to hire a guy or two as permanent company staff to manage your website or network servers. But now you need to ask an entire different company to provide you the services necessary for network administration.

    Hopefully, Nessus 3 will also solve some of the problems Nessus has been having. According to Wikipedia [wikipedia.org], "some of Nessus's vulnerability tests can cause vulnerable services or operating systems to crash." For those who are wondering, Nessus scans vulnerabilities mostly on the application and network layer. Usually it port scans open ports for vulnerabilities, and looks for various network problems such as computers on promiscuous mode [wikipedia.org], etc.

    For any of you network admins out there, a friend of mine has a medium business LAN and has been using Nessus, and it's working very smoothly for him; however, I recommend looking more into it before making any quick decisions based on Slashdot articles.
    • Okay, so I didn't read TFWikpediaA, but I've used Nessus lots, and never had it create a DoS or system crash... as you configure it it makes it quite clear that certain tests can cause these problems and you have to be extremely explicit in your configuration of a pen-test to enable those modules... It's important that they be there so that you can setup a sandbox and really try to knock the lights out of your servers, but if someone runs these same modules on a production box with vulnerabilities they kind
    • If there are Nessus tests that can cause a service or OS to crash, then that service or OS has an urgent security vulnerability that needs to be fixed. I wonder whether these vulnerabilities have been posted to Bugtraq and the like? Or maybe they are widely known, but the companies who produce the vulnerable product never fix it?
  • the sad thing about closed source is there is no way to tell what info is being sent back to the manufacturer, a la microsoft.
  • by xtal ( 49134 ) on Saturday November 26, 2005 @04:58PM (#14120351)
    It's unfortunate it went closed source versus a service-supported model, but in the real world, there's cheques to sign. If one group is doing the efforts and not being compensated, that's the cathedral model, and cathedrals have collection plates. Open source works best when users are developers. That also explains the state of most of the user interfaces on the more complicated projects. (sarcasm, but with a grain of truth)

    Something else I've noticed is open source works well on widgets and shared components and APIs. Once the toolset becomes very focused and vertical in appeal, the model works less well - unless the users are also developers.

    It will be interesting to see how the forked version works.

    Smoothwall has done a good job with their approach. We'll see how it continues in the future.

    • "but in the real world, there's cheques to sign."

      Let's not forget also that in the real world, there are people who figure out how to get checks signed - and people who don't. That's true for proprietary software companies, too.

      If you can't figure out how to make money from open source, the decision is usually to go closed source.

      Says nothing about open source as a business model, really (especially since open source ISN'T a business model, it's a development model). Says lots about the decision maker.
      • Actually it says EVERYTHING about the open source business model. If it is far easier to make money with the proprietary business model than the open source business model then that means the open source business model SUCKS .....at least for making money.

        What it says about the decision makeer is that they're smart enough to realize that trying to make a crappy business model work is a waste of time.
        • The Industry is paved by failed companies following proprietary models. And that's the point; business is difficult no matter what strategy you follow.
          • The success rate of proprietary business models is far greater than that of open source business models. Its such an obvious tenent that most people don't even attempt open source business models to begin with because they know that 9 times out of 10 its an excersize in futility. So yes business is difficult no matter what strategy you follow but thats no reason to go about picking a business model even more likely to cause you to fail.
            • I'm not so sure that IS an obvious tenant. The problem would be coming up with decent hard data to show this one way or another. Otherwise, this is simply a statement of personal perception. It would seem mine is different than yours.

              Having said that - I won't claim that a business based on Open Source code is easy. And, in fact, it is probably counter to many individual's instincts. So it may very well be harder. But on the other side, there are plenty of industries based on commodity products that m
              • The nature of open sources gives way to far more leeches using your stuff than actual contributers contributing. And its not exactly a commodity. A true commodity is a commodity even to the company that sells it. With open source, some company out there is actually putting in the effort of creating the product which is then released for free (either GPL or BSD license) to the world. So for the rest of the world its a commodity, for the author its their creation and they need to profit from it regardless tha
                • The nature of open sources gives way to far more leeches using your stuff than actual contributers contributing.

                  It can. And it has in some cases. The real issue is whether the leeches are damaging you or not.

                  And its not exactly a commodity. A true commodity is a commodity even to the company that sells it. With open source, some company out there is actually putting in the effort of creating the product which is then released for free (either GPL or BSD license) to the world. So for the rest of the w

        • "If it is far easier to make money with the proprietary business model than the open source business model then that means the open source business model SUCKS .....at least for making money."

          First of all, as I said, the OSS model is NOT a BUSINESS model, it is a DEVELOPMENT model. Therefore your entire argument is irrelevant.

          Secondly, you can produce a business model around the OSS development model to make money with. Red Hat and numerous others do. If Tenable is trying to develop a support income from Ne
  • That maybe this is a betrayal of the Open Source and Free Software initiatives that we hold valuable.

    I'm poor, so I know that I'm going to be flamed into Hell. But I don't care. These people closed source on something that open source proponets need, good, network admistration tools.

    Money be damned. They hurt the F/OSS cause doing this. Whether they owned the copyright to Nessus is beside the point. This was a serious set back that will take those of us who use F/OSS Software months and possibly years to r
    • There is a moral in there somewhere.

      Support open software, or you'll lose it.

      If people had contributed to Nessus in the past then this situation wouldn't have happened. The only people who are likely to be harmed by this are the ones who did nothing to help in the first place.
    • I'm as big a free-software supporter as anybody (I am releasing all of my graduate work GPL), but I don't see your problem here. You can fork the last GPL version, you don't have to start from scratch. The great thing about the GPL is that there are no take-backs. Is it someone's obligation to keep working on a GPL project you like? Hell no. As long as they aren't trying to take contributors' GPL code and close that (I'm quite sure they have dotted their i's and crossed their t's on this one), then the
    • It is beyond my ability to help them. I have used what little expertise I have to do what I can to contribute, but I caannot contribute what I do not have. Only now am I completeing Intermediate C++. Why did I choose to take Intermediate C++? It wasn't a part of my major in IT, and I didn't need any more electives.

      I did it because this is the third neglected Open Source or Closed source project I had seen. First ZDaemon, a formerly Linux accessible Network for Doom 1, 2, and Final Doom, until the mainta
    • Do you enjoy being poor then? Because if you do then maybe you can create a useful product that's used by tens of thousands of businesses at no charge and you will be poor forever.

      Yeah the hardest part was finding qualified people to work on the existing open Nessus. Nobody did... competitors got the product for free and used it for their own profit, now we are here. Kudos for Nessus for having the balls to put food on the table despite the rantings of inconsequential zealots.

  • They can't use v2 source in a v3 product, because then keeping contained v2 source secret would violate the v2 GPL. So they're writing v3 from scratch?
    • Wrong (Score:3, Insightful)

      by Lifewish ( 724999 )
      They wrote effectively all of V2, they can do with it as they wish (the GPL is a nonexclusive license, hence the success of dual-licensing). The only hairy issue is patches from the FOSS community, but apparently those were few enough to be handled on an individual basis or something.
      • I don't know what you mean by "nonexclusive", but the GPL certainly does require compliance with its terms: any changed GPL'd code distributed requires release of all source code. It's an interesting question whether the licensor is bound by the license - probably not. But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.
        • there is no question that the licensor is allowed to offer their own GPL'd code under any other license, or stop participating in GPL distribution of the code. any patches submitted under the GPL would keep the projuect GPL only IF the copyright is not transferred to the original project. many projects require copyright transfer to contribute one notable exception is the linux kernel itself, whicch will probably never be anything but GPL due to the massive tangle of licenses covering damned near the whole
        • Re:Wrong (Score:3, Insightful)

          by say ( 191220 )

          If you study FSF's GPL howto [gnu.org], you'll notice how important it is that you first preserve your copyright of the code, then GPL it. This is to establish that you - the copyright holder - choose to do the GPL on your own rights. Notice how this only works because yo own the rights yourself.

          You can obviously withdraw this later, but people who have used/copied/improved/whatever'd your code won't be forced to stop using it. This is specifically stated in the GPL. But I can take what I own the copyright for, and

        • Re:Wrong (Score:5, Interesting)

          by Yaztromo ( 655250 ) on Saturday November 26, 2005 @08:25PM (#14121237) Homepage Journal

          But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

          The simple solution to which is simply to remove the contributed code completely, and independently re-implement its functionality (if having that functionality is desired and/or necessary).

          I had to do something similar (but for a release in the opposite direction -- from closed source to OSS) for the jSyncManager Project [jsyncmanager.org]. The version 1.0 series was coded entirely by myself, and was only ever released as closed source software (albeit as 100% free-as-in-beer software via the web; I completed v1.0 of this project as a thesis project, and felt that getting outside help by allowing others to inspect and comment on the code might have been considered "cheating" by some). A few weeks after v1.0 was released, I was hired by IBM Canada as a software developer.

          The problem then became that nasty contract provision you have to sign when you join a company like IBM: the "what's yours is ours, and what's ours is ours" agreement, which basically states that anything you develop while employed by the company, even if it is completely on your own time and uses nothing learned from your employment at the company, belongs to the company. Fortunately, I was able to list existing technologies I had developed prior to joining IBM on said contract -- they were exempt so long as I stopped working on them while employed by the company.

          There was, however, significant interest in the technology within IBM, and an IBM branded version called "ManplatoSync for Java" eventually made its way to IBM's alphaWorks [ibm.com] website. It included a significant rewrite of the GUI code, along with some new functionality, parts of which were contributed by other IBM employees. The intention was always to release the sources under the IBM Public License -- but the legal eagles who had continuing discussions (which I wasn't part of), and kept holding off on a source release (the whole discussion of which apparantly died once I was released from the company).

          When I was later let go from the company, and free from their restrictions as to what I could and couldn't work on, I decided I wanted to release the jSyncManager as Open Source Software. But I couldn't just take ManplatoSync for Java and re-brand it back to the jSyncManager -- it was encumbered with IBM copyrights. I couldn't even retain functionality since jSyncManager v1.0 which I myself had written in those intervening 2.5 years, because it too was considered IBM property (nevermind the fact that I wrote it and didn't get paid one single red cent by IBM for any of it. Indeed, when I was later invited to speak on the technology at various conferences, the company forced me to use my own vacation time to do so).

          At that point, I had two choices: give up and find something else to work on, or suck it up and go back to the pre-IBM sources and work from there. And that's what in the end I decided to do: I took my pre-IBM sources, made them Open Source, and then worked my ass off to re-implement all of the lost functionality (along with a lot of functionality that the IBM releases never had, like USB device support and network data synchronization), and released it all as GPL/LGPL software.

          The Nessus team could very well have elected to do something similar -- just strip out any external contributions, and then work from there. The unfortunate thing about going from Openn Source to Closed Source, however, is that contributors are now forced to take the teams word for it that they stripped out any such contributions (assuming that they didn't re-assign copyright to the Nessus project when they were submitted -- something I've never asked any of my contributors to do), as you can't look at the source to see if your code is still in it (i

          • That's a fascinating story that certainly sheds light on this whole subject. I'm curious why you released the source under GPL, and whether that worked out as you expected.
            • Re:Wrong (Score:3, Interesting)

              by Yaztromo ( 655250 )

              I'm curious why you released the source under GPL, and whether that worked out as you expected.

              There were a few factors which played in this decision:

              • I was fresh out of work, and needed a project to keep me busy,
              • I didn't want to wind up in a similar situation with my next employer. By releasing the code as GPL/LGPL, and putting it on SourceForge, at least it couldn't be buried in a filing cabinet somewhere, even if I weren't permitted to work on it anymore (and with more and more employers in the com
        • I mean that, if they license their code under the GPL, they are also free to separately license their code under any other system they like. It's written into the license.

          But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

          That's what I was talking about before. Apparently they didn't get enough contributions that they couldn't easily write them out. This almost total lack of outside contributions in

    • GPL only grants rights and doesn't take any. Because owner of the code has all rights to modify and redistribute it anyway, he can ignore GPL.

      They just have to throw away any code that has been contributed under GPL, because that code is not theirs.
    • If I write code and release it under the GPL, I retain the copyright. I am free to issue that same code, under another less-free lisense to use. Or, completely closed, as it is in this case. That decision goes not affect prior releases.

      I am NOT free to pick up my marbles and go home; anyone USING the GPL version of the software has been granted the right to redistribute, so long as they include the source and maintain the GPL. That's the "viral" bit. The code has been infected by the GPL, and any modificati
  • by penguin-collective ( 932038 ) on Saturday November 26, 2005 @05:39PM (#14120521)
    'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.'

    If your open source project is popular but you don't manage to attract contributors, the fault is likely with the people managing the open source project: any popular project potentially has hundreds of contributors.

    Just writing software, making it open source, and having it become popular doesn't create an "open source project"--you have to design and manage the project as an open source project. You have to make it easy for people to contribute, organize the code appropriately, be nice to potential contributors, and give people an incentive to contribute.

    (Just one data point: last I looked at Nessus, it didn't look like a good foundation to build on for our needs.)

    • Excellent point.

      As I say in posts elsewhere, the fact that supposedly nobody contributed to Nessus probably has a REASON behind it, and in any event is irrelevant to the decision to close the source. They're simply trying to say that it won't make any difference by closing the source since it was all theirs anyway - and that it is not necessarily true.

      The REAL reason is they can't figure out how to compete against people using their product without closing the source.
    • "If your open source project is popular but you don't manage to attract contributors, the fault is likely with the people managing the open source project: any popular project potentially has hundreds of contributors."

      EXACTLY! Thank you for pointing out the bloody obvious, that those who commit will never be able to accept, nor identify, as selfcriticism is (seems to be) a virtue.

      I've seen this with so many projects, its not even funny. One wont believe, how many projects out there expect the product
  • So Here's The Deal (Score:5, Interesting)

    by Effugas ( 2378 ) * on Saturday November 26, 2005 @05:49PM (#14120558) Homepage
    OK, so this is a fairly painful post to make. Ron Gula and Renaud Deraison were the first guys to bring me out for an interview after I graduated from college, and I've been supporting their attempts to manage those who really do just steal Nessus. But, in the interest of intellectual honesty, I've been asking around regarding the closing of the Nessus source.

    First of all, according to multiple sources, apparently the reason why there isn't a significant number of free plugins is because Renaud et al simply don't accept them, or when they do accept them, they substantially rewrite them enough such that a non-free version is what eventually makes it into the source. Now, I don't know this from personal experience -- and Renaud et al are welcome to deny this -- but this preference for suppressing the GPL component of Nessus has been strong enough that contributed free plugins have been suppressed because of overlap with non-free.

    Such behavior does not grow a developer community. Tenable has implied that there's alot of leeches out there, and while indeed they have to suffer the most pernicious of parasites (companies that just rebrand their code!), there's good evidence that says the reason they don't get much code from the community is that they supposedly refuse what they do get.

    I wouldn't speak up on this, but I have to balance my continuing appreciation for Renaud et al's work (which, mind you, still has a very nice license for our needs) against the need to stem accusations that nobody ever tried to give back to Nessus. People have tried.
  • Nessus is a wonderful product and I support the creators right to determine the destiny of this project. Tenable apparently was facing stiff competition from those who took advantage of the free (as in beer) aspect of their GPL license to open a competing bar.

    My concern with the closing of the source on this project is specific to its function, ensuring security. Security is one of those funny program spaces where perception is all but reality. Enlightened paranoia is the order of the day. And the wonder
  • Here is my scenario.

    I start a project with my company, its getting pretty complex, but im starting to like what i do on that project.

    I ask my boss if i can use it for a personal project hence work on it when im not in work.

    He agrees to open source it so other people can help me.

    The program Reaches v1 to my companies standards, so that they dont need me.

    I lose my job, but carry on my GNU program.

    They close up the source to the program and start selling it.

    I either keep the name of my program or call it OpenW

  • ...but there are other ways to deal with it. One of my key bones with the GPL is that it doesn't do enough to protect small developers and pretty much makes it easy for corporate giants to walk all over them due to their increased advertising and branding power. An example is Mandriva's Embeddix, a rebranded LRP (Linux Router Project). The problem here is that the LRP shut down because of this, they got fed up of mandriva doing no work and stealing their code and so they stopped developing it, thus the F/OS
  • There is a fork (Score:3, Interesting)

    by timbrown ( 578202 ) <slashdot@machine.org.uk> on Saturday November 26, 2005 @07:56PM (#14121090) Homepage
    Speaking as one of the folks behind the OpenVAS (www.openvas.org) fork, there are plenty of people interested in maintaining an open source alternative. Interestingly many of these people have attempted to work with Tenable in the past and have had their contributions ignored. IMO Tenable didn't understand how they could make money off the Nessus project without closing the source.

    As a side point, it would be interesting to understand how Tenable have dealt with contributions that they did accept for version 2 - have they been removed completely from version3?
  • For the last five years, I have been running a company with 10 people which lives from open source.

    We have made enough money to sustain the company (and pay high Austrian taxes), but not enough to get wealthy.

    Specifically, we have made money from other people's efforts, i.e., Nessus, Snort and NMAP. We've done this by building on the work of others, and putting a usuable front end on them for corporations (we call it Event Horizon), plus adding commercial-grade support. Sourcefire did the same thing

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...