From owner-freebsd-questions@FreeBSD.ORG Thu Oct 6 19:58:17 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAD0916A420 for ; Thu, 6 Oct 2005 19:58:17 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.web-strider.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D10943D46 for ; Thu, 6 Oct 2005 19:58:12 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id j96K0Wb91168; Thu, 6 Oct 2005 13:00:34 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: , Date: Thu, 6 Oct 2005 12:57:59 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <058f01c5ca8f$a3ed7730$c901a8c0@workdog> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Importance: Normal Cc: Subject: RE: Nessus no longer open source X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 19:58:18 -0000 This happened with the SAINT scanner also, however they didn't have the decency to keep an older release train going under GPL. SAINT was a rework of SATAN which was released open source, making that a particularly bitter pill. I believe when SAINT did this, that was what gave the impetus to Nessus to become popular. Security scanning as an esoteric field and not a lot of people are true experts however there's a huge demand for it from some very deep pockets. Thus this kind of thing is inevitable. One of the duties of the OSS market is to serve as a spawning ground for commercial software packages. There was a huge amount of commercial software born from the BSD code, and in fact a number of the BSD networking utilities made it into Windows - including their BSD copyright notices in fact. Consider also that the military would almost certainly not want to use an open source scanner because that gives the enemy a list of what vulnerabilities you know about, and what ones you possibly don't. I can think of a number of other deep pockets like VISA that are the same way. Closing the source for Nessus 3 will open it up to consideration by a number of customers who would have been prevented from using it. Almost certainly the research in the vulnerabilities that go into Nessus 3 will trickle into Nessus 2 eventually. So this move, far from being a blow to OSS, actually strengthens it. If you want to bitch about something then bitch about SAINT. Ted >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Gayn Winters >Sent: Thursday, October 06, 2005 9:04 AM >To: freebsd-questions@freebsd.org >Subject: Nessus no longer open source > > >One of the highest rated open source security programs, nessus, will no >longer be open source. Quoting from an email from Renaud Deraison > to nessus-announce@lists.nessus.org, > >"Nessus 3 will be available free of charge, including on the Windows >platform, but will not be released under the GPL. > >"Nessus 3 will be available for many platforms, but do understand that >we won't be able to support every distribution / operating system >available. I also understand that some free software advocates won't >want to use a binary-only Nessus 3. This is why Nessus 2 will >continue to be maintained and will stay under the GPL." > >I'm not sure if Nessus 3 will be supported as a FreeBSD package. > >Apparently the folks at Tenable feel that they have been supporting the >open source community but have been getting little back in plug-ins and >vulnerabilities and virtually nothing back on the scanning engine for >over six years. In fact, they have been slowly tightening their >licensing (cf. >http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html), and >it would appear that they can and will continue to tighten it over time. > >Fyodor's analysis >(http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html) is that >the open source community should take heed. He provides a list of ways >to contribute to open source software projects. While the list is >excellent, there are no new ideas in it. The thing that seems germane >to the FreeBSD community is that ports, even extremely popular ones, are >vulnerable, since under the GPL the AUTHOR of the code is not bound by >the same restrictions that the users are. I'm not a lawyer, but as I >understand it, the author can create a derived work of something under >the GPL and license the derived work (a "rewrite" in the case of nessus >3) and arbitrarily restrict it. Given Renaud's claim that no one >contributed to the scanning engine, he seems to have every right to >create a new and closed version of it. > >The moral here, if there is one, is that if you really like a port, then >you should contribute to it one way or another! > >Comments? > >-gayn > > > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" > >-- >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date: >9/30/2005 >