Is Open Source Nessus Closing Its Source?

The way that the open source software development process is supposed to
work is that users contribute to the greater whole, thus benefiting
everyone.

But it doesn’t always work that way.

A case in point is the popular Nessus vulnerability scanner, which is
moving away from the GPL license for its next version. Nessus is a widely
deployed tool that helps IT administrators identify vulnerabilities in their
networks.

Renaud Deraison started the Nessus Project in 1998, and in 2002 he
co-founded Tenable Network Security under which Nessus is currently
developed.

Deraison announced that Nessus 3.0 is set to debut in the next few weeks
and will not be licensed under the GPL, though it will be available free of
charge. The existing Nessus 2.0, which is licensed under the GPL, will
continue to be maintained under the GPL with bug fixes.

The 3.0 branch that
is not GPL-licensed will have major improvements and enhancements over its
predecessor that will make it “much faster than Nessus 2.0 and less resource-intensive.”

Among the reasons for the move away from the GPL are two issues that
traditionally open source advocates have touted as the license’s strengths,
namely community development and the “freedom” of code such that is can be
re-used and redistributed by anyone.

In a mailing list posting, Deraison commented that, “Virtually nobody has
ever contributed anything to improve the scanning engine over the last 6
years.”

Deraison also took aim at the GPL itself, which, in his opinion is not in
the competitive best interests of his firm.

“A number of companies are using the source code against us by selling
or renting appliances, thus exploiting a loophole in the GPL,” Deraison
wrote. “So in that regard, we have been fueling our own competition and we
want to put an end to that. Nessus3 contains an improved engine, and we
don’t want our competition to claim to have improved “their” scanner.”

The move away from the GPL may not necessarily have a significant effect
on its use by Linux distributions, though. Industry Linux leader Red Hat
currently does not include the Nessus project in any versions of Red Hat
Enterprise Linux or its Fedora Core distributions.

Donald Fischer, senior product manager at Red Hat, noted that there are third-party Nessus packages available for download for Red Hat distributions.

“Not everything in our core distributions is licensed under the GPL, it
just needs to be under an open source license,” Fischer explained to
internetnews.com.

“There are plenty of packages included in RHEL and Fedora
that are under non-GPL open source licenses like the BSD licenses, Apache
and Mozilla licenses, etc. ‘GPL’ does not equate one for one with ‘open
source.'”

That said, in Fischer’s view the new Nessus is still not open source.

“The license that Nessus is switching to is not open source at all, so we
would continue to not include it in our core distros going forward,” Fischer
said.

“But if Nessus wants to offer their future proprietary versions to run
on RHEL or Fedora as a third-party proprietary application, that’s fine —
just like Oracle offers proprietary apps that run on RHEL.”

Debian GNU/Linux is also among those that see free and open source as
being more than just the GPL.

“First of all, being GPLed or not isn’t the sine qua non for distribution
of a work by the Debian Project,” Branden Robinson, Debian project leader,
told internetnews.com. “What matters, if something is to be part of our
official distribution, is whether the work is licensed in a way that is
‘DFSG-free.'”

The Debian Free Software Guidelines (DFSG) are the basis of the Open
Source Institute’s (OSI) Open Source Definition originally drafted by
Bruce Perens, which is literally the defining document of the open source
movement.

Robinson explained that if Nessus adopts a non-DFSG-free license, it
would not be able to be part of a future official Debian release. However if
it is non-DFSG-free but permits anyone to redistribute it free of charge, and
without registration or other onerous measures, Debian might distribute it
as an unofficial add-on in the “non-free” repository.

Deraison, however, has a somewhat different view of
where users will get the program from.

“Tenable’s end-user license agreement does not allow the redistribution
of our binaries but not being in Linux distributions does not affect us
much,” Deraison said. “Since Nessus is continuously updated,
most of our users download it directly from our Web site.”

A Fork in The Road?

One of the attributes of the GPL is such that the community or another
vendor could perhaps “fork” Nessus development using the GPL-licensed Nessus
2.0 version as a base.

The fork then in essence would create a new GPL
license version of a Nessus-like product.

“We have no comment on this specific case, but one of the benefits of
open source licensing is that it permits the creation of such a fork if the
maintainer chooses to change licensing or move in a different direction than
other members of the open source development community,” Red Hat’s Fischer
said.

Debian’s Robinson commented that he could not make a firm official
statement on the matter as it depends von how the Debian package maintainer
felt about the situation. The Debian Project provides a degree of autonomy
to package maintainers about their respective applications.

However Robinson did say that, “as part of its general philosophy, the
Debian Project prefers Free Software to software that is not Free. More
precisely, we favor DFSG-free software over the alternative”

“Debian could thus be construed to be generally supportive of any effort
to keep the catalogue of Free Software from shrinking,” Robinson said.

Regardless of what the community may or may not want to do, forking
Nessus is likely neither feasible nor probable, at least according to
Nessus’ Deraison.

“Nessus 2.x is, and shall remain open source,” Deraison said. “However, forking Nessus requires a significant effort — the engine is GPLed but most of the plug-ins are not.”

“As a result, one would have not only to maintain the engine, but also
create from scratch a huge majority of the security checks and network
protocol libraries.”


Updates prior version to clarify Branden Robinson’s quote regarding Debian Free Software Guidelines

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web