A lesson for OSS: Nessus drops the GPL.
I wondered how long it would take for Renaud to complete the licensing transition from open source for Nessus to closed.
Seems like today is the day. He announced that Nessus 3.0 will still
be free of charge (for now), but will NOT be released under the GPL. In
his words:
Nessus 3 will be available free of charge, including on the Windows
platform, but will not be released under the GPL.
Nessus 3 will be available for many platforms, but do understand that
we won't be able to support every distribution / operating system
available. I also understand that some free software advocates won't
want to use a binary-only Nessus 3.
As a fellow entrepreneur, I understand that he wishes to find
methods to increase revenue and protect his interests. But I also think
his positioning on his reasons is slightly flawed. His reasoning is
that:
“virtually nobody has ever contributed anything to improve the scanning _engine_ over the last 6 years.”
I wouldn't doubt thats the case. But this quote to the nessus list
bugged me today, and I will tell you why. In May 2002 I formed a
company called VulScan Digital Security. My plan was to port the Nessus
engine to Windows (keeping the engine still under GPL) and design a
more in-depth proprietary management tool for network pentesting to
compete against the big boys who were charging insane amounts of money.
I was about a quarter of the way complete the port when I ran into some
issues with the NASL scripting and I tried to contact Renaud and his
crew to point out some issues I found. The help I got? Squat. Nothing.
Barely even communicated with me. I only ever got a couple of email
responses saying “I was free to do it” when I asked if I could do it in
the first place, and a follow up to an issue I found with a quick
thanks. At that point I realized I wouldn't be getting any support and
I dropped the project. If you can't get support from the original
authors it didn't make a lot of sense to carry on.
Now he is pointing out that he received no contributions to his
code. Of course not. No one wants to work with someone like that
without forking off into it's own project. And we all know how f*cked
forked projects normally end up.
Now, Fyodor and the Nmap project
on the otherhand, “get it”. Any time I have come across an issue and
asked for help, Fyodor has always emailed me back in a timely manner
and with useful information. And you know what?? I have submitted
patches to fix things once I got my head around what the real problem
was. The whole raw socket XP SP2 fiasco had a fix within 4 hours of
Fyodor and I talking about it. After my patch submission we found that
a new ARP caching issue also existed. Only took me another couple of
hours to have that written and tested and Fyodor put it into the Nmap
base to get Windows people going again. Give and take. THAT's how an
open source project should work.
Today Fyodor posted an email discussing how Nmap will not follow
Nessus. Thank you for that Fyodor. As a regular nmap user I appreciate
that.
I wish Renaud and Nessus all the greatest success in marketing
Nessus. Let it be a lesson to all of us though. Open source software is
about give and take. If everyone just takes and never gives back, don't
assume it will always be there for you. On the flip side, if you manage
an open source project and want help, make sure you give respect to
those willing to dig in and help. Otherwise they will leave you just as
quickly.
Have an interesting open source vulnerability scanner you are working on, or planning to fork off Nessus? Email me at dana@vulscan.com and let me know.
[Dana Epp's ramblings at the Sanctuary]