The source code of one of the world’s most popular free security tools will no longer be available to all, with its creator stating its open source licence was fuelling competition against his company. “Nessus 3 will be available free of charge … But will not be released under the GPL,” wrote Renaud Deraison yesterday to the software’s email mailing list.
Is this wise for the company? Devs can still fork the available source code that was already released under the GPL.
Doesn’t the GPL offer this? Which means that the latest code under the GPL must remain so. I see a fork coming.
Yeah, let’s do it
Did anyone else contribute to it? Did they crosslicense their changes, or just allow Him to use them under GPL terms? If he accepted contributions, and did not get a copyright transfer from the submitter, he might be violating the GPL (unless he rips out all contributed code that he can’t get a license for)
Would be interesting (but probably quite destructive) to see a contributer take a developer to court for closing their source.
This is what happens when you don’t understand that the license that you release your code under allows for this and other things.
People releasing code under GPL seems to forget that others can take your code and make money from YOUR investment in the code, giving nothing back in return as long as they don’t modify it.
What this means is that where company A for some reason releases code under the GPL, thinking that it is safe to do so, at the same time as they sell a product based on that code to get back the investment, company B can come along, take the code, compile, then sell it at cheaper than company A can because the work is already done.
A better option would be to license it under a non-commercial license if they want to open source it at all, to prevent competition from making money off their work.
Ah, but company A can offer much better support than company B because they wrote the original piece of software.
example: Redhat vs CentOS
CentOS is redhat enterprise server compiled by some bunch of developers, which they give away for free.
Notice how Redhat still makes money.
Releasing code under a non-commercial licence makes big headaches for developers. what consitutes non-commercial? if I use in on my desktop computers in my office isn’t that commercial use?
– Jesse McNelis
Ah, but company A can offer much better support than company B because they wrote the original piece of software.
The better your software, the less support it will require.
The worse your software is, the less users it will have, and the less support it will require.
The more users your software has, the more support it will require. The better your software, the more users it will have.
The more complex a task your software does, the more support it will require. The less technical your user base, the more support they will require.
Support is proportional to users and complexity, not quality.
Maybe so, but Redhat did not initiate the writing of the Linux kernel. The upfront costs of the software could never be retrieived by giving it away.
Why is Sourceforge not open source?
The fact is that if RedHat wrote Linuxfrom scratch, it would not be GPL.
}snip{
~~This is what happens when you don’t understand that the license that you release your code under allows for this and other things.~~
}remainder discarded{
It is? Do you have other examples of GPL licensed software that is still released and maintained under one version by the originator and a newer version is distributed for free as a closed source project? I wasn’t aware that this was a common practice introduced by not understanding the GPL.
}snip{
~~This is what happens when you don’t understand that the license that you release your code under allows for this and other things.~~
}remainder discarded{
It is? Do you have other examples of GPL licensed software that is still released and maintained under one version by the originator and a newer version is distributed for free as a closed source project? I wasn’t aware that this was a common practice introduced by not understanding the GPL.
I got a message that the Forums were discontinued due to high volume and I resubmitted. My apologies.
It’s always a mess to close a GPLd program, if there are no contributions from others he/they can close it, but all passed releases stay GPL and subject to fork if there is interest. If he/they incorporated non trivial changes from others he/they will either have to remove them, which is damn hard if there were lots, or rewrite from scratch or a version before others contributed (if he still has such an early version). Either way, if there is enough interest in this type of program he/they will not get around competition, no mater if it is FOSS or not.
“If he/they incorporated non trivial changes from others he/they will either have to remove them, which is damn hard if there were lots, or rewrite from scratch or a version before others contributed (if he still has such an early version). ”
That’s what things like Subversion are for. The only bad thing about “ripping out” is the quantity that may be involved.
AFAIK the only GPL’d version is 2.x. So you can only fork the old version, should you want to.
I assume he wants to add some specific features to v3 and doesn’t want to share them. GPL is nice for free things but as soon as you wish to charge for it, someone else can just take your work and sell it cheaper than you do.
The story is a bit misleading, here is the relevant part:
—
“Nessus 3 will be available free of charge, including on the Windows platform, but will not be released under the GPL.
Nessus 3 will be available for many platforms, but do understand that we won’t be able to support every distribution / operating system available. I also understand that some free software advocates won’t want to use a binary-only Nessus 3. This is why Nessus 2 will continue to be maintained and will stay under the GPL.
To make things simple :
– Nessus 2 : GPL, will have regular releases containing bug fixes
– Nessus 3 : free of charge, contains major improvements
The two versions can share most of their plugins — we intend to maintain backward compatibility whenever possible for most vulnerability checks. Some checks will only work on Nessus 3 (ie: we are about to release a set of plugins to determine policy compliance), but the huge majority will work on either platform likewise.”
—
You can read the whole announcement here:
http://mail.nessus.org/pipermail/nessus-announce/2005-October.txt
Put simply, Nessus 2 will stay GPL and I believe development will continue on it (well, let’s hope so). It doesn’t say anything about “its open source licence was fuelling competition against his company”.. What gives?
GREED IS GOOD!
So when someone releases software under the GPL they completely give up their IP rights? I feel we will see alot more of this as companies realize that the warm fuzzy you get by laboring to create FOSS software doesn’t put food on the table or Ferrari in your garage.
No, you don’t give up your IP. That’s exactly what you don’t do. Protection of IP is essential in protection of GPL
“So when someone releases software under the GPL they completely give up their IP rights?”
No… Ever heard of copyright? Copyright is what the GPL is based on. Once copyright is invalidated THEN you give up all your IP rights, unless of course you patent the thing or register it as a service- or trademark.
interestingly enough, those comments are the exact same kind made by a VA Software executive about the SourceForge software, which is not open source, because according to him, it would create cheap knock offs and all of their hard work would be wasted.
And VA owns Newsforge and Slashdot, those bastions of GPL only people. How ironic that this story is not on Slashdot.
sucks because I’d like to use nessus on openbsd… and it wont happen if it’s not open. Oh well.
RTFA: This doen’t suck. At least not for the reason you claim. Version 2.x will still be maintained and offered under the GPL.
You may, however, whine and moan that the non-free ver. 3.x will be unavailable to you. You will have to wait until it is released to find out what exactly you won’t use that might be kewl.
BTW, if you “would like to use” it is there some reason that you aren’t using nessus now?
You might want to stick to the existing open source version of Nessus until it forks and a new open source one becomes available. For this type of software you simply cannot trust one that is not open source.
I appreciate that Renaud Deraison had courage to take that step. It’s not easy (today) to reverse your path and switch from a GPL based model back to a more fair one, with people starting to complain that you are stealing their freedoms… lol 😉 Sorry, last line was a bit trollish… or ironic.
Interestingly, he didn’t decide to use any open source license, including those who are ensuring your source stays open while others cannot modify / distribute it. That was a choice. Either he’s planning very advanced features he wants to lock for his software only or simply he got somewhat hurted by releasing a GPL software. He doesn’t state anything about that.
Interestingly, he didn’t decide to use any open source license, including those who are ensuring your source stays open while others cannot modify / distribute it.
Those aren’t Open-Source licenses. Perhaps you’re thinking of “Shared Source”?
I’m pretty sure those are Open-Source licences or can be.
There is a huge distinction between an open source licence and a free-software licence.
“I’m pretty sure those are Open-Source licences or can be.”
That’s just wrong.
From the Open Source Definition:
“3. Derived Works
The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.”
More info here:
http://opensource.org
Well, it depends on which is our definition of open-source. Since OSI cannot trademark those words, open source to me is anything which allows to review source, whatever you’re then allowed to do (so, in that way, SSL is an open-source license).
Maybe you’re right that OSI doesn’t list any license which doesn’t allow modification and redistribution… I’m not sure… I have to check that.
However, beside SSL, there are a number of interesting licenses which deserve merits like Common Creative ones.
Yes, my original comment was about Mr. Deraison not choosing any license which would have protected his business rights while still allowing people to review source code (open-source, in my definition).
Maybe that could have been more suitable for a product which deals with systems security.
> open source to me is anything which allows to
> review source, whatever you’re then allowed to do
Please don’t insist on using the term Open Source with a completely different meaning than most people. This only creates confusion. The definition from OSI is widely accepted and can serve as a reference. Making communication more difficult is a Bad Thing(tm).
You can still create your own term if you want. 😉
> Maybe you’re right that OSI doesn’t list any
> license which doesn’t allow modification and
> redistribution… I’m not sure… I have to check
> that.
They only list licenses that allow modification and redistribution, and this is not a coincidence but integral part of the very definition of Open Source software according to them ( http://www.opensource.org/docs/definition.php ):
– Free Redistribution
– Source Code must be available
– Must allow derived Works and redistribution thereof under the same terms
…
Please don’t insist on using the term Open Source with a completely different meaning than most people. This only creates confusion. The definition from OSI is widely accepted and can serve as a reference. Making communication more difficult is a Bad Thing(tm).
You can still create your own term if you want. 😉
Well, if we wish to be fair, I don’t like people or entities to abuse words like freedom and, of course, open source as well. Like the term itself implies, I consider to be open source anything in which source code is available (and thus “open”).
Of course, nothing prevents OSI in rebranding itself to something like:
opensourcebutnotintheliteralmeaningbutwithotherlimitationsyoushouldbea wareof
😉
BTW, you’re right. I remebered that you were right about OSI definition and you cofirmed that.
My point still holds, though. He could have just decided to use SSL or CC.
> I don’t like people or entities to abuse words like
> freedom and, of course, open source as well.
AFAIK the term didn’t really exist (i.e. not widely used or not used at all) before they tried to make it into a trademark for software (licenses) that conform(s) to the OSI definition. I don’t see any abuse there.
> Like the term itself implies, I consider to be open
> source anything in which source code is available
> (and thus “open”).
So you make discussions with you unnecessarily more difficult because you refuse to use the term “open source” with the widely accepted meaning (in the domain in question).
Imagine a discussion about Microsoft Windows with someone who insists that windows are things made of glass because that’s the literal meaning and that’s what the term implies.
> BTW, you’re right. I remebered that you were right
> about OSI definition and you cofirmed that.
>
> My point still holds, though. He could have just
> decided to use SSL or CC.
Erm, are you aware that I’m not the original poster?
Well, it depends on which is our definition of open-source. Since OSI cannot trademark those words, open source to me is anything which allows to review source, whatever you’re then allowed to do (so, in that way, SSL is an open-source license).
You can use whatever definition you like, no one can stop you; even if OSI had been able to trademark the term, realistically they couldn’t stop you from privately using the term however you like. But communication will be difficult if you use terms in ways that no one else uses. And you’ll find that what virtually everyone else means when they say open source is not what you mean, especially within the trade press, the general developer and technical community, Unix circles, and of course among free and open source developers themselves.
Even big companies that would love to do nothing more than muddy the waters by confusing the definition of open source generally refrain from doing so, probably because the press and users would call them out on their deliberate confusion. Thus Microsoft uses the term “shared source” to talk about their variety of partially open licenses. Sun never uses the term open source to describe their various semi-open and academic licenses. Suse never used the term to describe their old view-only license for YaST. And so on.
The term “free software,” in English anyway, has the difficult problem that the term also has another, commonly accepted definition – software that’s free, in the free-as-in-beer sense. People who prefer that term understand the difficulty but think the term is important nonetheless and would rather deal with the potential confusion than use another term, mostly for philosophical reasons (I disagree, but I respect and understand their beliefs and their choice).
But there’s no reason for similar confusion with the term open source. While “open source” also has a potential double meaning – the source is merely “open” or viewable in some way – it was coined by certain people at a specific time and place, with a specific meaning, and wasn’t in wide use with any meaning before that time. Most people and companies, especially in the world of technology, use and respect that meaning. So using the term to mean something distinctly different is, in my opinion, mis-using the term from a communications perspective, because much of your audience will be defining the term differently.
The term “free software,” in English anyway, has the difficult problem that the term also has another, commonly accepted definition – software that’s free, in the free-as-in-beer sense. People who prefer that term understand the difficulty but think the term is important nonetheless and would rather deal with the potential confusion than use another term, mostly for philosophical reasons (I disagree, but I respect and understand their beliefs and their choice).
“Free Software” is not the same as “Open Source”. To say that some people would prefer one term over the other is thus false. The former is often used as defined by the FSF, the later as defined by the OSI.
It is important to understand that FSF and OSI has a very different view of software. In fact the reason that they are not in conflic with each other is that they are mostly orthogonal where each one usually benefits from the side effect of the other.
Compare the usual BSD vs. GPL flame wars. It’s mostley the same, BSD beeing the OSI stance and GPL the FSF stance.
“Free Software” is not the same as “Open Source”. To say that some people would prefer one term over the other is thus false.
If you re-read my post you’ll find that I never said the terms were interchangable. I merely made an analogy between the potential dual meanings that both terms have in English, for the purposes of demonstrating a point. Your trigger finger is itchy; my post had nothing to do with choosing one term over another or the difference in meaning between them. It wasn’t my intention to “go there.”
However, I will address that right now, since other responses in this thread have asked about the differences – hopefully my post will spark thoughtful discussion instead of flames from the peanut gallery (hope springs eternal!).
The fact is, many people are in fact prefering one term over the other (or choosing a hybrid term like FOSS to be inclusive or for fear of offending anybody) for what is, in their minds, the same thing: the collective body of software released under liberal terms such as the revised BSD, GPL, LGPL and Apache licenses. At this time, the body of active licenses accepted by the FSF as “free” and certified by the OSI as “open” are exactly the same (the old APSL license was a key example of a difference at one time, but has since been retired; to quote Stallman: “We disagree on the basic principles, but agree more or less on the practical recommendations”). The reasoning and philosophy behind the acceptance of the licenses are different, but at the end of the day, today, the actual licenses are the same. Thus many people, who don’t have a particular philosophical ax to grind but are merely seeking to describe certain software, are faced with a choice between those two equally accurate descriptive terms (or a hybrid term). For those people, using the terms in that way, it is indeed a difference of semantics, even if that rattles some folks who do have a philosophical stake in the matter and would prefer everyone use a certain term in all cases.
I’ll also address the “philosophy behind the acceptance of the licenses” mentioned above. Yes, there are important differences; but the difference is slimmer than many suggest. The OSI Open Source Definition is nearly identical to the Debian Free Software Guidelines, and not just because the same person penned them both. The OSI Open Source Definition nowhere mentions a particular development model (open source is still open source even with a completely closed development model), but is solely interested in what rights – indeed, what freedoms – the license grants the user. Of course Debian doesn’t speak for the FSF, but the fact is the delta between the actual substance behind the terms – while real – is smaller than many with a particular agenda suggest. None of which means that the two terms are identical or interchangable (except in the practical sense described above), and they obviously come from very different places philosophically. I have no beef with those who feel that not only the term free software but the philosophy behind it is important and distinct, but our differences are real enough that there is no reason to exaggerate them further as some do (“open source people only care about development models and don’t care about freedom”).
What are the real differences, not in substance or practical effect but in terms of philosophy and intent? There are MANY. I don’t dispute that. A visit to FSF.org will acquaint anyone with Stallman’s philosophy of free software and his view of open source as a separate movement (I feel his version of the differences is a bit too harsh, and suggest that anyone interested also visit opensource.org and read the Open Source Definition).
What are the real differences, in the substance of what is required for a license to meet either definition, and not in philosophical theory? I’m aware of one primary distinction. The FSF’s Free Software Definition requires that licenses allow you to make private changes and not publish them (a requirement specifically embodied in the “distribution” trigger of the GPL). In practice this isn’t an issue because all current OSI open source licenses also allow this, although it’s not required by the definition. There may indeed be other practical differences I’m forgetting or not aware of.
It was not my intention to say that “open source people only care about development models and don’t care about freedom”. I do, however, think that a lot of confusion and flame wars exist because peolple don’t relize that there _is_ a difference.
My take on it is rather simple. I understand Open Source as the developement methodology outlined in the Cathedral and the Bazaar by ESR and Free Software as the movment to impose the moral rights that RMS believe in.
The conflict I see is that ESR and BSD proponents belive in the superiority of open source while RMS and the FSF belive that the open source methodology is not superior enough to impose the freedoms sought. Thus a superior techincal platform (GNU), with a discriminating license (GPL), is belived to be requirement to that end.
I’m not taking sides, I’m just saying that there is room for conflict.
If you own copyright, then you can do anything you want with the code.
What was the point of this story? Oh, there is no point.
This sort of thing has happened before. It will just fork.
I remember the same thing happened with the intrusion detection software TripWire. It went commercial and was no longer GPL’ed.
What happened, first a fork was made and a version was continuted to be developed as GPL software and still has many people using it.
Second, even better GPL products came along like AIDE, Snort etc that replaced it all together and some people prefer that now.
Its not the end of the world.
Hmmm…I don’t think any forking will happen. If you read the story, v2 will keep being released as GPL (so no need to fork) while v3 (which will be released) has never been released as GPL yet.
So there’s nothing to fork here.
And if V3 has some excellent features that v2 doesn’t have (and won’t have)? Then I say fork version 2, check out v3’s new features, and then re-work and backport them into the forked v2 software. That will then take away users from v3 and force the developer to re-GPL it or lose customers altogether.
My take on this is an anti-GPL stance, and if he wants to do that, fine, that’s his choice. My choice is that I’ll avoid ANY of his software, and I’ll be proactive in telling others to avoid ANY of his software, and why.
Dave
and why would you do that ? Do you want people to choose their software based on some principle or their need. If somebody sees value in buying his software what is your problem, why would you recommed otherwise ? now if you are going to recommed /not recommend some software based on its quality then fine…
Version 2 will go stale because there is always a conflict of interest when a company does dual version (GPL + commercial).
Good example is the Smoothwall firewall. No release for over a year. And although there are a number of community contributed addons and even official security updates it doesn’t change the fact that the main distro went stale.
The result now is that even a cheap Linksys router has more features than Smoothwall.
And that’s why we have IPCop which is a fork of Smoothwall.
So with Nessus, all the improvements will go into the closed version 3 and version 2 (gpl) will sit there stale without any improvements for years.
Happened before many times with other projects.
And that’s why GPL is so great because it protects against this kind of conflict of interest, split personality companies.
There is no doubt that Nessus will fork.
“So when someone releases software under the GPL they completely give up their IP rights?”
The current legal model for GPL is similar to charity work. In the same sense that you can’t take back a charitable donation given to a foundation whose public financials reveal they’re using money in a undesirable way, you cannot place a claim on your GPL software when another developer takes it in a different direction, posts the source, and starts selling it.
Suppose I write and sell a GPL app for GNOME and some developer starts selling a port he made for KDE. Even though the GPL requires that he release the port as GPL, I might not be interested in selling or supporting the KDE version, and I might wish that I had some way of preventing the sales of this port. However, the GPL doesn’t protect the exclusive right for the upstream developer to distribute or sell derivative works, only the nonexclusive version of this right is protected.
Since you are normally a BSD supporter, I should point out that the BSD/MIT/X11 licenses don’t protect any IP rights outside of credit. In addition, the MPL/CDDL licenses don’t protect your rights to distribute new source files (essentially new functions) in derivative works. However, the CDDL additionally grants the upstream developers an explicit right to patent on any new source files they contribute to a project.
So, if you want to release free and open source software such any close derivatives of your work stay free, and you have explicit control over the competitive rights to distribute any derivatives of your code, then you should release under then CDDL. It doesn’t protect your right to distribute new functions developed by downstream developers, but it protects your right to obtain and exercise patents for the code you originate, thereby controlling downstream’s right to derive from your work.
…But it is so uncool to support the CDDL that no one would think this is a good idea. They would instead argue that the GPL should grant upstream control of derivative works. They would suggest that this should work outside the patent system, since patents are evil. So, they would argue for a license that allows downstream to copy and modify freely, but redistribute under the GPL only so long as upstream doesn’t tell them to stop. Upstream doesn’t need to shoulder the burden of applying for a patent or otherwise demonstrating the novelty and nonobviousness of their code before telling downstream to stop distributing their derivative. Sounds fair, right?
Or I could just release under the BSD license and hope for the best…
Just as I had predicted:
closed source -> open source -> closed source -> open…
So now “software only” companies are seeing that nobody pays for support or widget frosting if the product is super good and unless they have a sugar daddy like Ubuntu, they cannot survive (pay employees, keep the lights on, pay the office rent) if the only product they have is GPL’ed. IBM/Sun/HP love open source because they get free software for their hardware products – what’s not to like about that?. Geeez, Ford and GM would be sponsoring free oil exploration and the war in iraq and the recovery in Louisiana if gas was free.
Welcome back to the 1980s era in software development!
The biggest issue here is that the original author did not write the whole thing. There were many contributions made to his project by a lot of willing participants, as this as an open source project.
The idea that now the original author can take over everyone’s code and close it seems to be totally nuts. This is one of the problems when you start a company based on an open source project, and want to make money out of the project itself, not services around it.
Ironically, I was checking out this company about a month ago thinking they were being really competitive with the product itself, and they weren’t going to play right with the same people that made the project happen. Well, what a surprise!
When you open a project and get contributions in one form or another by many people, you cannot go then and act as if you wrote the whole thing, and the contributions didn’t make a difference. That’s plain wrong!
As a software company owner myself, I understand the need to be competitive, but not with other people contributions. When you open source something, there’s no return back. This project in particular was made famous thanks to its open source, and contributions of people around the globe in one form or another.
I hope a new project forms with a better architecture, and without a particular owner.
The idea that now the original author can take over everyone’s code and close it seems to be totally nuts. you cannot go then and act as if you wrote the whole thing, and the contributions didn’t make a difference. That’s plain wrong!
Luckily, indeed this isn’t possible.
Any contributors would have to have signed a copyright assignment document saying the original author get all IP rights. If they don’t, the original author simply can not relicense the code.
I hope a new project forms with a better architecture, and without a particular owner.
Copyright seems pretty adequate as it is.
IANAL but I do think that a patch must exceed a certain complexity/size before it is concidered a “work” and thus copyrightable.
It seems like the owners of open source security products are recently cashing in on everyone’s contributions. Again this is plain wrong!
It was just announced that SourceFire, the company that came out of the SNORT project, was just bought by CheckPoint.
They are saying the project will remain GPL’d, but lets see how long that’s going to last.
We definitely need two new projects now: a vulnerability scanner and an intrusion detection one. Any takers???
It seems like the owners of open source security products are recently cashing in on everyone’s contributions. Again this is plain wrong!
How is this different from Redhat/Noveoll/IBM/HP and Linus Torvalds himself financially benefitting from contributions to Linux?.
We definitely need two new projects now: a vulnerability scanner and an intrusion detection one. Any takers???
What guarantees do I have that your project won’t be taken commercial?. Maybe you’ll take my contributions and I’ll be left out in the cold and you’ll be warm with VC funding.
Deal with it, they got popular off the backs of open source programmers and they’re going to ride their way to the bank. It has happended before with MySQL, JBoss, Codeweavers and it’s not the last time. Why can’t you feel happy for them instead? (Typical GPL mentality of not being happy to see someone succeed so you reimplement their software as open source)
How are free software and open source software not the same thing? I know the emphasis of the FSF is on the political/philosophical, whereas the OSI emphasize the superiority of the “bazaar” model of software development. But at the end of the day, free and open source both allow you to:
0. Use the software however you want.
1. Redistribute the software.
2. Modify the software.
3. Redistribute modified versions of the software.
See: RE[5]: Kudos to courage…
Or go to FSF.org and see if you can distinguish between them from what the originator of Free Software has said.
Or not…
To everyone saying he can’t close the source after accepting contributions: sure he can. If he gets permission from each of the contributors, it’s kosher. Barring that, he can (as previously mentioned) rip out the contributed code (or some combo of the two, ripping out code from those who don’t give him permission). He is within his rights to do either.
“Version 2 will go stale because there is always a conflict of interest when a company does dual version (GPL + commercial).”
Hasn’t happened with Qt yet.
Hasn’t happened with Qt yet.
…but that’s different as it’s one product with 2 licensing options.