RE: Tenable's license changes
Hello Ron (and list),
I think you've thoroughly answered all the questions. The only question I
have, which I'm sure Tenable fully considered before the change, is the
"SCO" question, in reverse. Ultimately, your ability to change from GPL to
a Tenable license is based on the concept of copyright ownership. Hopefully
all parts of Nessus that Tenable is now licensing outside of GPL was
developed independently by Tenable exclusive of GPL-protected work. I'm
confident that Tenable will have performed due diligence to ensure that this
is the case. While it is unfortunate that the licensing change is
necessary, it seems pretty obvious that business drivers required such a
decision, even if it somewhat irritates the open-source community. C'est la
vie.
cheers,
-ben
---
Benjamin Tomhave, CISSP
falcon_at_secureconsulting.net
http://falcon.secureconsulting.net/
"We must scrupulously guard the civil liberties of all
citizens, whatever their background. We must remember
that any oppression, any injustice, any hatred is a
wedge designed to attack our civilization."
-President Franklin Delano Roosevelt
> -----Original Message-----
> From: nessus-bounces_at_list.nessus.org
> [mailto:nessus-bounces_at_list.nessus.org] On Behalf Of Ron Gula
> Sent: Friday, January 21, 2005 9:41 PM
> To: nessus_at_list.nessus.org
> Subject: Re: Tenable's license changes
>
> Hi Robert,
>
> At 07:28 PM 1/21/2005, Robert Keith wrote:
>
> >I am surprised to see that there has not been more discussion of the
> >plugin update changes implemented by Tenable January 1.
>
> There was much discussion about this on this mailing list
> late last year.
>
> >- Tenable claim that distributing plugins with a 7 day delay does no
> >harm to the user community is not true. This cripples the
> GPL solution.
>
> We continue to receive GPL plugins and release these under
> the GPL plugin feed. For GPL submissions that conflict with
> vulnerabilities we currently are writing for, we don't accept
> those. This happens very rarely.
>
> >- Tenable granting themselves a special right to write
> non-GPL plugins
> >sounds legally questionable. If it is in fact legal, it still is
> >should have been made very clear to all Nessus users when
> they started
> >this practice at the beginning of Tenable. This should also
> be clear
> >when Nessus is downloaded and installed. It is frightening to think
> >that authors of GPL programs can secretly grant themselves rights to
> >create non-GPL modules and then surprise the community demanding
> >payment after everyone has unknowingly become dependent on
> the modules.
>
> Anyone who writes code and owns the code can attach whatever
> licenses one needs to do this. This is exactly how MySQL and
> other open source projects can do this.
>
> >- Tenable's claim that they can pick between GPL and their
> own plugins
> >when a collision occurs, is a clear conflict of interest.
>
> It's not a conflict of interest from our point of view. Just
> because someone submits code, plugins, documentation to the
> project, .etc, does not mean it has to be used. We've
> rejected plugins and code in the past because they were
> horribly written for example. We've also said that we are
> committed to keeping up to date with the latest
> vulnerabilities, staffing the appropriate R&D resources and
> maintaining relationships with the various OS and network vendors.
>
> >- Tenable's claim that they are distributing plugins for free is not
> >correct. They are forcing people to agree to a very restrictive
> >non-GPL contract. Giving up rights is not free.
>
> There is no monetary charge for the registered free, however,
> many of Tenable's competitors no longer have ambiguous
> methods to distribute Nessus and make a profit off of it. And
> yes, the license is more restrictive than before, but we are
> not forcing anyone to use Nessus no more than people are
> forcing us to keep it up to date.
>
> >- Tenable's method of announcing this drastic change was
> insufficient.
> >My guess is that much of the user community is still not
> aware of the changes.
>
> 1. we changed the web site
> 2. we announced it on this mailing list
> 3. we gave interviews to several leading network security
> magazines as well
> as some of the top newspapers. I can't control what they say.
> 4. we briefed gartner, morgan stanley and several other
> analysts 5. we exhibit at trade shows like SANS, CSI, .etc
>
> If you have other suggestions, please let me know. I'd like
> to tell as many people about the change as possible.
>
> >- Tenable's claim that they deserve compensation because of all the
> >free work they have done in the past is suspect if the plan
> all along
> >was to lock people into a system and then start charging for it.
>
> Our plan was to make it more difficult for competing vendors
> to make use of Nessus in their commercial products. Tenable
> has a wide variety of commercial technology that compliments
> Nessus, but has nothing to do with it such as the NeVO
> passive scanner. If we really wanted to force people to spend
> money with us for Nessus, we would not be doing things like
> maintaining NessusWX, allowing downloads of the class C NeWT
> scanner (30,000 people) at no charge and giving away a set of
> plugins that even at seven days old, puts to shame a lot of
> the commercial vulnerability products out there.
>
> >- Tenable has not been forthcoming about what they are trying to
> >achieve with this change.
>
> We don't want competitors of Tenable to use Nessus.
>
> >Are they simply trying to get paid?
>
> It is nice to get some money from the Nessus users out there,
> but Tenable's focus has always been large/medium enterprise customers.
>
> >Are they trying to drive their competitors out of business?
>
> Changing the plugin feed really hurts some of our competition
> which basically take Nessus, add a GUI and then call it
> product. Some of the GUIs are really nice too, but it's still
> Nessus doing the scanning. I think there is enough business
> in this economy for many companies to succeed, so I'm not
> going to say they should go out of business. However, it
> levels the playing field tremendously.
>
> >Is Tenable trying to support
> >certain business models and not others, for example are they
> trying to
> >drive software vendors out of business but support
> consulting companies?
>
> We gave this a lot of thought, as we didn't want to really
> hurt the consultants.
> What floors us, is that there are consultants out there that
> are totally dependant on Nessus for their vulnerability
> scanning. I'm talking about the 'little guy'
> consultants as well as the big ones. Many of these guys make
> a lot more money than $1200/year and they object to the charge.
>
> >All of this said, I am sympathetic to the claim that Tenable
> should be
> >compensated for all the hard work they have done and continue to do.
>
> Most people feel the same way, however, they greatly differ
> in the amount of compensation. The overall response we've had
> is that $1200/year per scanner is pretty cheap and we should
> have charged
>
> > The
> >ideal situation would be to guarantee revenue for Tenable for the
> >valuable services they provide and also guarantee the Nessus project
> >continue to grow.
>
> This accurately describes the current situation. However, you
> don't go as far to say that Nessus should not be used to harm
> Tenable's well being.
>
> > This would be in everybody's best interest. Nessus is a critical
> >resource.
>
> If it is a critical resource, people should not object to
> paying for how we have the plugins being distributed.
>
>
> >In my humble opinion
> >
> >- Any new policy should not affect history. The plugins that were
> >developed before January 1 should be GPL, like most people
> assumed they were.
>
> Most people didn't seem to be bothered that Tenable was
> writing most of these plugins anyway. We feel that Nessus
> users felt there was a vast army of contributors to Nessus
> when in fact there weren't.
>
> >- $1200 per year per scanner seems high.
>
> Based on what? Have you looked at the price of a managed
> service vulnerability scan, or get a quote for a commercial
> vuln scanner? Without the $1200 feed, your scanner is almost
> as good as any other commercial scanner for free.
>
> >I would guess that for $1M per
> >year a small team of programmers should be able develop, test and
> >release new plugins as well as maintain and upgrade the existing
> >library. This revenue would be generated by about 1000
> licenses. There are clearly many
> >more than this. If Tenable extracts huge profits from
> writing plugins,
> >they will attract competitors which will cause the plugin market to
> >fragment (I use vendor X's library, you use vendor B's)
> which will work
> >to no one's benefit.
>
> Although Nessus is an open source project, Tenable's business
> practices are not. If I told you that we had far less than
> 1000 users, we could argue charging a higher price than
> $1200. If I told you we made enough to pay for R&D of Nessus,
> we could charge less. Anything I say here can be used against
> Tenable, so we are not publicly saying how much or how little
> we are generating in revenue.
>
> >- New plugins should be GPL.
>
> Why? We've actually had people not submit plugins to the
> Nessus project because they reject GPL altogether in favor of
> FreeBSDish licences. We don't want to maintain a variety of
> non-Tenable feeds.
>
> > I think that most users would pay a fair price to get the latest
> >tested plugins.
>
> What is a fair price? We feel that $1200 per scanner is very
> affordable.
>
> >I think if users feel that they are being charged a fair price for a
> >great product they will pay.
>
> We feel this is the situation.
>
> > Tenable can still
> >hold new plugins for 7 days, which would be a major value to
> corporate
> >Nessus users.
>
> A large number of people who have registered for the 7-day
> delayed feed are from corporations. Some of these folks even
> pay for the $1200 direct feed. Some even buy our commercial products.
>
> >If Tenable continues with the program as currently
> constituted, I see
> >serious problems developing.
>
> Why?
>
> Ron Gula, CTO
> Tenable Network Security
>
> _______________________________________________
> Nessus mailing list
> Nessus_at_list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>
This archive was generated by a fusion of
Pipermail 0.09 (Mailman edition) and
MHonArc 2.6.8.