Date: Thu, 6 Oct 2005 12:57:59 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: <gayn.winters@bristolsystems.com>, <freebsd-questions@freebsd.org> Subject: RE: Nessus no longer open source Message-ID: <LOBBIFDAGNMAMLGJJCKNMEIIFCAA.tedm@toybox.placo.com> In-Reply-To: <058f01c5ca8f$a3ed7730$c901a8c0@workdog>
next in thread | previous in thread | raw e-mail | index | archive | help
This happened with the SAINT scanner also, however they didn't have the decency to keep an older release train going under GPL. SAINT was a rework of SATAN which was released open source, making that a particularly bitter pill. I believe when SAINT did this, that was what gave the impetus to Nessus to become popular. Security scanning as an esoteric field and not a lot of people are true experts however there's a huge demand for it from some very deep pockets. Thus this kind of thing is inevitable. One of the duties of the OSS market is to serve as a spawning ground for commercial software packages. There was a huge amount of commercial software born from the BSD code, and in fact a number of the BSD networking utilities made it into Windows - including their BSD copyright notices in fact. Consider also that the military would almost certainly not want to use an open source scanner because that gives the enemy a list of what vulnerabilities you know about, and what ones you possibly don't. I can think of a number of other deep pockets like VISA that are the same way. Closing the source for Nessus 3 will open it up to consideration by a number of customers who would have been prevented from using it. Almost certainly the research in the vulnerabilities that go into Nessus 3 will trickle into Nessus 2 eventually. So this move, far from being a blow to OSS, actually strengthens it. If you want to bitch about something then bitch about SAINT. Ted >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Gayn Winters >Sent: Thursday, October 06, 2005 9:04 AM >To: freebsd-questions@freebsd.org >Subject: Nessus no longer open source > > >One of the highest rated open source security programs, nessus, will no >longer be open source. Quoting from an email from Renaud Deraison ><rderaison@tenablesecurity.com> to nessus-announce@lists.nessus.org, > >"Nessus 3 will be available free of charge, including on the Windows >platform, but will not be released under the GPL. > >"Nessus 3 will be available for many platforms, but do understand that >we won't be able to support every distribution / operating system >available. I also understand that some free software advocates won't >want to use a binary-only Nessus 3. This is why Nessus 2 will >continue to be maintained and will stay under the GPL." > >I'm not sure if Nessus 3 will be supported as a FreeBSD package. > >Apparently the folks at Tenable feel that they have been supporting the >open source community but have been getting little back in plug-ins and >vulnerabilities and virtually nothing back on the scanning engine for >over six years. In fact, they have been slowly tightening their >licensing (cf. >http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html), and >it would appear that they can and will continue to tighten it over time. > >Fyodor's analysis >(http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html) is that >the open source community should take heed. He provides a list of ways >to contribute to open source software projects. While the list is >excellent, there are no new ideas in it. The thing that seems germane >to the FreeBSD community is that ports, even extremely popular ones, are >vulnerable, since under the GPL the AUTHOR of the code is not bound by >the same restrictions that the users are. I'm not a lawyer, but as I >understand it, the author can create a derived work of something under >the GPL and license the derived work (a "rewrite" in the case of nessus >3) and arbitrarily restrict it. Given Renaud's claim that no one >contributed to the scanning engine, he seems to have every right to >create a new and closed version of it. > >The moral here, if there is one, is that if you really like a port, then >you should contribute to it one way or another! > >Comments? > >-gayn > > > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" > >-- >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date: >9/30/2005 >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNMEIIFCAA.tedm>