Re: Re: bleeding nessus

[Renaud Deraison <deraison () nessus org>]

On May 3, 2005, at 14:48, Gadi Evron wrote:

> > plugins which are in the CVS repository, I'm simply insulted by what
> > you're saying.
>
> I am insulted by much of what you are doing since the license  
> change, so
> we're even.

What have I done to insult you ? Is letting people know that I do not  
want
my work to be stolen insulting you ? Or is it because I wrote GPL  
software
once and therefore you thought that I had the moral obligation to write
free code for the rest of my life ?

To be frank, your attitude is exactly what sometimes makes me regret to
have released Nessus to the public in the first place - there is a  
(very)
small minority of people out there who have never contributed  
anything to
the project, not even bug reports, and who think that the fact they use
Nessus give them the right to govern my personal and professional life.


> And if one person committed 99% of the plugins, we are in a worse  
> state
> than I figured.

Why ? Because that means that there is one ruler who decides what  
goes in and
what does not ? How many plugins that you or your friends wrote have  
been rejected ?

Don't you understand that accepting and commiting a plugin is like  
keeping an
editorial line ? If there is a very restricted set of people who have  
CVS
commit access, then that means you have the garantee of a somehow  
consistant
style in the reports. If anyone could commit his plugin, you would  
end up
with confusing and duplicated reports - two people would commit plugins
which check for the same flaw, some plugin would produce a cryptic  
one-line
output while others would give you too much info about the flaw.


This is also why I've refused Matt Jonkman's suggestion of creating a
"Bleeding-Nessus" type of project: IT DOES NOT HELP THE END USER.
If you have two (or three, four, five, whatever) different plugin feeds,
what does the average user use to have a scanner which works ? Only
one feed ? A combination of feeds ? What if there is an overlap between
the feeds ? And what is the added value of another feed exactly ? Why  
would
people contribute to a "100% non-Tenable" feed and not to the GPL feed ?

We accept _any_ plugin submitted to us. What Ron said about the  
Microsoft plugin
is that we don't accept registry plugins for new checks because it's  
extremely
easy to write a bad MS plugin, but it takes a lot of time to QA them  
(and
also handle superseeded patches and so forth). So we don't want  
someone to
write a cronjob download MS Tuesday's patches, send us broken plugins  
which
only contain :
    if ( hotfix_missing(name:"KB12345") )  security_hole()

and claim the credit for it.

Now, if you happen to reverse engineer a MS patch faster than we do and
come up with a non-intrusive way to check for a flaw, we'll commit  
that plugin
more than happily.



> > Please list the plugins whose (C) we have modified, please list the
> > websites that we have "squashed" with the original plugins, I'd  
> > be  very
> > interested seeing them.
>
> I never said websites.

So at least list the plugins whose copyright we have stolen in such a  
nasty way.

> I have a strong suggestion. How about I do take everything back,  
> and you
> start a new community and mailing list, based on neutral territory? We
> can ask the guys at bleeding snort, whitehats or some of the sort  
> to help.

See above : a plugin feed is like an editorial line. You need  
consistency in
the text, you need consistency in the way to check for a flaw and you  
need
consistency for the coverage.

Also, what makes you think that the guys at bleeding snort (who have  
never
contributed any plugin if I recall correctly) will be better to that job
than me ? (who happen to have written Nessus, designed the NASL  
language and
happen to have been bitten by so many side effects in the past that I  
can
tell which plugin will cause unwanted side effects or not). Experience
is definitely needed here.


> Then you can ask people to email their GNU plugins there, to be  
> admitted
> to the CVS repository, and if you like them, you can take them into
> yours. That's how communities start - rather than by censorship.

Why would they email their plugins to bleeding snort rather than  
directly
to plugins () nessus org (private) or plugins-writers () list nessus org  
(public).
What's the added value ? If they submit the plugins to plugins- 
writers@, where
is the "censorship" ? Which plugins have been censored in the past ?

> Then you, according to your claims, would be happy - and so would I.

Why would I want to make _you_ happy ? My only relationship with you  
at this point is that you have insulted me on a public list and you  
have privately spammed a lot of subscribers to the Nessus mailing  
list in the past as you tried to create an
"alternative" Nessus community.

I mean, while we're talking about freedom and so forth, I'd better  
tell everyone about
it : when we announce the license change in the Nessus plugin, you  
sent the following
email, IN PRIVATE, to several Nessus plugins writers, but not to me :

-----------[snip snip]---------------------
> Sent: Monday, January 17, 2005 5:48 PM
> Subject: nessus plugins and disclosure
>
> Hello.
>
> I have been approached by a couple of nessus plugin developers. They
> seem to believe that with the new license for nessus, as well as with
> the fact (as they see it) that nessus now releases only plugins they
> create, there is a need for a mailing list where plugins can be  
> shared.
>
> Personally, other than being an end-user, I am not involved with the
> nessus community. I have, however, created many trusted, closed and
> open, online communities for security information sharing.
>
> The two guys know me and they asked if I would be willing to try and
> start a mailing list for such sharing regarding nessus.
------------[snip snip]--------------------

So I feel a bit weird about you asking^H^H^H^H^H^Hordering me
have an open community when you actually attempted to take over
the plugins contributions without working with me in a constructive
way in the past.



> If a guy like John works for you, you can't be all bad. Maybe you  
> should
> think of what I said, as well?

In addition of John, why don't you ask Nicolas Pouvesle what he has been
up to recently ? Or George Theall ? Or what about asking Michel Arboi if
Tenable has offered him anything for all the good work he's done on  
Nessus ?

These guys are people who contributed to the project in such a  
constructive
way that I'm honored to be working with them, and if they have any issue
with the way things are being run, then I'm always listening to them  
because
they spent time and effort on the project - instead of simply  
downloading it
and insulting me.


                -- Renaud
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave