Re: Tenable's license changes (and why the license changed)

[Renaud Deraison <deraison_at_nessus.org>]

Hi Robert (and list),

Ron replied to most of your questions, but I'll add my grain of salt to
a few items, because I think there is a strong misunderstanding between
what we're trying to do and what some users (like you) seem to perceive.


On Fri, Jan 21, 2005 at 04:28:44PM -0800, Robert Keith wrote:

> - Tenable granting themselves a special right to write non-GPL plugins
> sounds legally questionable.  If it is in fact legal, it still is should
> have been made very clear to all Nessus users when they started this
> practice at the beginning of Tenable. This should also be clear when Nessus
> is downloaded and installed.  It is frightening to think that authors of GPL
> programs can secretly grant themselves rights to create non-GPL modules and
> then surprise the community demanding payment after everyone has unknowingly
> become dependent on the modules.

So by your reasoning, if I write a software and give it away for free to
the community under certain conditions, I (the author of the software)
have to obey the exact same conditions regarding the use I want to make
of my own software developed by myself. 

Interestingly, even gnu.org says that an author can dual-license his own work
- please see http://www.gnu.org/copyleft/gpl-faq.html#HeardOtherLicense
- meaning that an author does _not_ have to abide to the rules he set for
the software he writes.

If a third party want to write non-GPL plugins, they have to ask the
copyright owner for permission, because otherwise they would be in 
violation of the GPL, that's as simple as that. We granted ourselves the
authorization to distribute non-GPL plugins. End of story.

Regarding the demand of payment (or 'ransom' as you should have called
it), your statement is incorrect - plugins are GIVEN AWAY FOR FREE. 

The main differences between _now_ and a pure GPL feed are :

(a) There is a delay between the time we write the plugins and the 
time you get them FOR FREE ;

(b) You have to respect some conditions regarding the use of the
plugins. For instance, you can not put them in a shiny appliance you
want to resell ;

(c) The upside of this is that now that there are commercial customers
out there, you (as a free user) have the _garantee_ that plugins will be
written and released in about 7 days for every new flaw. The reason is
simple : while we do not have SLAs in place for commercial customers
(it's not doable to commit to a timely delivery for any flaw which may
be disclosed i the future), we are commited to give the best possible 
response time regarding plugin-writing, and that's what we've been
doing so far. 
If we decide to not write a plugin for a given flaw, we have an internal
database explaining why, so our suport team can explain to customers 
why there's no check for a given flaw. 

Also, most of the money made from the plugin feed goes back in research and 
QA directly, which in turn make us distribute better plugins.

So in a way, this new policy *benefits* to everyone :

- You now have a seven days nearly-garanteed delivery time of high quality, 
whereas in the past you had no garantee AT ALL that we'd write plugins on 
a given flaw, and if the plugins had been written under the GPL there 
would be no garantee that they work at all ;

- We now have a very formal process to write plugins and we keep track of 
the plugins which are written and the ones which won't be because
customers have the right to ask for an explanation of what goes in and
what does not ;

- 7 days is still a very good time compared to other scanners out there ;



> - Tenable's claim that they can pick between GPL and their own plugins when
> a collision occurs, is a clear conflict of interest.

So far, we only had one collision (a script submitted by Noam Rathaus
for a bug in an modest CGI script had already been written). 

At the same time, there is a lot things behind the scene that you do not see :

- We QA and fix every plugin we receive under the GPL. For example,
this week David Maciejak submitted a plugin for 'awstats', and the plugin 
he sent me was non-functional (the test was wrong) [I don't mean to pick 
on David, I'm happy with most of his plugins]
I spent time testing and fixing the plugin so that it worked properly, 
and I released it under the GPL _anyway_ (an evil me could  have
rejected the plugin on the grounds it was incorrect, and rewrite a
functionnal version from scratch) ;

- We _maintain_ every GPL plugin we receive. We receive bug reports and
fix the plugins. We improve the plugins. We keep them up-to-date if 
they need to be ;

- We _keep_ the GPL status even when we end up re-writing them. For
instance, Nicolas re-wrote a bunch of Anti-Virus plugins from scratch 
last week (because they had became too hard to read and did not fit with 
the new versions of Norton and McAfee AV). Every plugin _rewritten from 
scratch_ has been released under the GPL, with NO delay.
In the same vein, a few months ago I re-did nearly all the smb_nt_* plugins 
with the new smb_hotfix.inc API, and I left the copyright to the
original authors of the plugins ;


That being said, there is one thing I'd like to point out : we did NOT 
change the way the plugins are being released in order to hurt users or 
to make piles of money. And it's not a "ransom" either - plugins are 
available for free.


We changed the plugins license because there is an imbalance between
what we contribute compared to the rest of the community. Basically, 
Tenable (and myself, that's the same thing) contributes a _huge_ chunk
of the plugins. Like 70% of them.  (and don't get me started on the
Nessus _engine_).

If you define Tenable, Michel Arboi, David Maciejak, George Theall and
Noam Rathaus as a single group, you're talking about over 95% of the 
plugins. That goes against the perception that "open-source" is a
million of little elves coding for free all the time, does not it ? 

At the same time, I'll let you count the number of companies out there who
resell Nessus with a nice web interface on top of it. They are much more 
numerous than the full list of plugins contributors !

So if people take the license change of the feed as a good incentive to 
_write_ good quality plugins(1) and submit them to us, then that's cool.
If that prevents these companies from reselling Nessus because they have
few plugins for it, that's cool too.

We're fed up to do most of the work and let many companies not only profit
from our efforts, but also actively fight against us (or me personally
as it happened in the past).
I'm fed up of seeing companies bill their customers for "plugin updates" for a
much higher price than $1,200 per year, when all they do simply is to mirror 
www.nessus.org/nasl/all-2.0.tar.gz and resell it to their users (without any QA 
on them by the way, I have a funny annecdote about that). And I'm fed up of 
seeing all these companies take _my_ work, rebrand it, and claim it as 
being their own technology.

For Christ's sake, go to <http://www.predatorwatch.com/Public.ppt>, go to
page 20 and compare the output of their sample plugin with webdist.cgi
(plugin#10299) - it seems that someone out there mastered the
almighty 'sed s/Nessus/PredatorWatch/g' command. 

Or go to <http://www.securityspace.com/smysecure/last30.html> and see 
how their ambiguous wording makes the average user thinks that SecuritySpace
actually wrote the checks themselves. 

Or go to <http://www.stillsecure.com/products/vam/> and once again, see 
how their ambiguous wording makes the average user thinks _they_ are 
writing new checks and wrote their own vulnerability scanner. 

Or there is a company out there which - during their training classes -
explain to their prospects that they fix the Nessus source code,
because I'm a very naughty person and could insert backdoors and malware
in my code (and they are careful enough to only say it verbally, which
is why I don't mention their name in public).


And this is the tip of the iceberg.


So now, having seen a slightly larger part of the pictures, please, oh
please, give me your magical recipe to continue improving Nessus and 
writing better plugins while :

 - not helping these guys as much as a full GPL feed would  ;
 - avoiding to hurt most of the Nessus users ;
 - making sure this developement makes sense for us commercially ;


>From a business perspective, we could have done things which are much
more ugly than publishing plugins under a non-GPL license - believe me -
but we may have overseen some items - so feel free let me know what
your ideas would be.


> - Tenable's claim that they are distributing plugins for free is not
> correct.  They are forcing people to agree to a very restrictive non-GPL
> contract.  Giving up rights is not free.

You're absolutely correct in your last statement : giving up rights is
not free. The thing is that when people talk about a copyRIGHT, it's
because in most countries, there is a _right_ regarding the use, 
distribution and copying of intellectual works, and the GPL actually 
_gives up_ some of these rights. So yes, releasing programs under the 
GPL has a cost for us.

That being said, Tenable plugins are available for FREE, as in free
beer. I know the english language is a bit limited in that area, but if
we ever do a french version of the Nessus web site, rest assured that
we'll say the plugins are available "gratuitement".

[...]
> - New plugins should be GPL.  I think that most users would pay a fair price
> to get the latest tested plugins.  I think if users feel that they are being
> charged a fair price for a great product they will pay.  Tenable can still
> hold new plugins for 7 days, which would be a major value to corporate
> Nessus users.

You do not seem to understand what the GPL is. If that was the case,
then anyone can subscribe to the plugin feed for $1,200 per year, and
give it away to the rest of the community for free. And that does not address 
the problems mentionned above.


				-- Renaud


(1) If you set up a cronjob to send us a non-working plugin every time a new 
BID surfaces, then we'll have to reject your plugins.