Nessus no longer open source

Gayn Winters gayn.winters at bristolsystems.com
Thu Oct 6 09:04:38 PDT 2005


One of the highest rated open source security programs, nessus, will no
longer be open source.  Quoting from an email from Renaud Deraison
<rderaison at tenablesecurity.com> to nessus-announce at lists.nessus.org,

"Nessus 3 will be available free of charge, including on the Windows  
platform, but will not be released under the GPL.

"Nessus 3 will be available for many platforms, but do understand that  
we won't be able to support every distribution / operating system  
available. I also understand that some free software advocates won't  
want to use a binary-only Nessus 3. This is why Nessus 2 will  
continue to be maintained and will stay under the GPL."

I'm not sure if Nessus 3 will be supported as a FreeBSD package.

Apparently the folks at Tenable feel that they have been supporting the
open source community but have been getting little back in plug-ins and
vulnerabilities and virtually nothing back on the scanning engine for
over six years. In fact, they have been slowly tightening their
licensing (cf.
http://mail.nessus.org/pipermail/nessus/2005-January/msg00185.html), and
it would appear that they can and will continue to tighten it over time.

Fyodor's analysis
(http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html) is that
the open source community should take heed.  He provides a list of ways
to contribute to open source software projects.  While the list is
excellent, there are no new ideas in it.  The thing that seems germane
to the FreeBSD community is that ports, even extremely popular ones, are
vulnerable, since under the GPL the AUTHOR of the code is not bound by
the same restrictions that the users are.  I'm not a lawyer, but as I
understand it, the author can create a derived work of something under
the GPL and license the derived work (a "rewrite" in the case of nessus
3) and arbitrarily restrict it.  Given Renaud's claim that no one
contributed to the scanning engine, he seems to have every right to
create a new and closed version of it.

The moral here, if there is one, is that if you really like a port, then
you should contribute to it one way or another!

Comments?

-gayn
 




More information about the freebsd-questions mailing list