RealTime IT News

Is Open Source Nessus Closing Its Source?

The way that the open source software development process is supposed to work is that users contribute to the greater whole, thus benefiting everyone.

But it doesn't always work that way.

A case in point is the popular Nessus vulnerability scanner, which is moving away from the GPL license for its next version. Nessus is a widely deployed tool that helps IT administrators identify vulnerabilities in their networks.

Renaud Deraison started the Nessus Project in 1998, and in 2002 he co-founded Tenable Network Security under which Nessus is currently developed.

Deraison announced that Nessus 3.0 is set to debut in the next few weeks and will not be licensed under the GPL, though it will be available free of charge. The existing Nessus 2.0, which is licensed under the GPL, will continue to be maintained under the GPL with bug fixes.

The 3.0 branch that is not GPL-licensed will have major improvements and enhancements over its predecessor that will make it "much faster than Nessus 2.0 and less resource-intensive."

Among the reasons for the move away from the GPL are two issues that traditionally open source advocates have touted as the license's strengths, namely community development and the "freedom" of code such that is can be re-used and redistributed by anyone.

In a mailing list posting, Deraison commented that, "Virtually nobody has ever contributed anything to improve the scanning engine over the last 6 years."

Deraison also took aim at the GPL itself, which, in his opinion is not in the competitive best interests of his firm.

"A number of companies are using the source code against us by selling or renting appliances, thus exploiting a loophole in the GPL," Deraison wrote. "So in that regard, we have been fueling our own competition and we want to put an end to that. Nessus3 contains an improved engine, and we don't want our competition to claim to have improved "their" scanner."

The move away from the GPL may not necessarily have a significant effect on its use by Linux distributions, though. Industry Linux leader Red Hat currently does not include the Nessus project in any versions of Red Hat Enterprise Linux or its Fedora Core distributions.

Donald Fischer, senior product manager at Red Hat, noted that there are third-party Nessus packages available for download for Red Hat distributions.

"Not everything in our core distributions is licensed under the GPL, it just needs to be under an open source license," Fischer explained to internetnews.com.

"There are plenty of packages included in RHEL and Fedora that are under non-GPL open source licenses like the BSD licenses, Apache and Mozilla licenses, etc. 'GPL' does not equate one for one with 'open source.'"

That said, in Fischer's view the new Nessus is still not open source.

"The license that Nessus is switching to is not open source at all, so we would continue to not include it in our core distros going forward," Fischer said.

"But if Nessus wants to offer their future proprietary versions to run on RHEL or Fedora as a third-party proprietary application, that's fine -- just like Oracle offers proprietary apps that run on RHEL."

Debian GNU/Linux is also among those that see free and open source as being more than just the GPL.

"First of all, being GPLed or not isn't the sine qua non for distribution of a work by the Debian Project," Branden Robinson, Debian project leader, told internetnews.com. "What matters, if something is to be part of our official distribution, is whether the work is licensed in a way that is 'DFSG-free.'"

The Debian Free Software Guidelines (DFSG) are the basis of the Open Source Institute's (OSI) Open Source Definition originally drafted by Bruce Perens, which is literally the defining document of the open source movement.

Robinson explained that if Nessus adopts a non-DFSG-free license, it would not be able to be part of a future official Debian release. However if it is non-DFSG-free but permits anyone to redistribute it free of charge, and without registration or other onerous measures, Debian might distribute it as an unofficial add-on in the "non-free" repository.

Deraison, however, has a somewhat different view of where users will get the program from.

"Tenable's end-user license agreement does not allow the redistribution of our binaries but not being in Linux distributions does not affect us much," Deraison said. "Since Nessus is continuously updated, most of our users download it directly from our Web site."

A Fork in The Road?

One of the attributes of the GPL is such that the community or another vendor could perhaps "fork" Nessus development using the GPL-licensed Nessus 2.0 version as a base.

The fork then in essence would create a new GPL license version of a Nessus-like product.

"We have no comment on this specific case, but one of the benefits of open source licensing is that it permits the creation of such a fork if the maintainer chooses to change licensing or move in a different direction than other members of the open source development community," Red Hat's Fischer said.

Debian's Robinson commented that he could not make a firm official statement on the matter as it depends von how the Debian package maintainer felt about the situation. The Debian Project provides a degree of autonomy to package maintainers about their respective applications.

However Robinson did say that, "as part of its general philosophy, the Debian Project prefers Free Software to software that is not Free. More precisely, we favor DFSG-free software over the alternative"

"Debian could thus be construed to be generally supportive of any effort to keep the catalogue of Free Software from shrinking," Robinson said.

Regardless of what the community may or may not want to do, forking Nessus is likely neither feasible nor probable, at least according to Nessus' Deraison.

"Nessus 2.x is, and shall remain open source," Deraison said. "However, forking Nessus requires a significant effort -- the engine is GPLed but most of the plug-ins are not."

"As a result, one would have not only to maintain the engine, but also create from scratch a huge majority of the security checks and network protocol libraries."

Updates prior version to clarify Branden Robinson's quote regarding Debian Free Software Guidelines