Dailydave mailing list archives
Re: Sourcefire Acquired by Check Point Software
From: Frank Knobbe <frank () knobbe us>
Date: Sun, 09 Oct 2005 04:47:34 -0500
On Sat, 2005-10-08 at 20:59 -0700, Renaud Deraison wrote:
There are several loopholes on many levels :
The GPL is specifically written to ensure that the software is free to all users. Quote: "When we speak of free software, we are referring to freedom, not price."
(a) You can take any GPL software, put it as-is on an appliance, call your appliance the "FOOBAR 3000" and sell FOOBAR 3000 Scanners all over the place. You therefore hide any credit to the original program you took and nobody knows that your FOOBAR 3000 is using (Nessus| Snort|.*)
Yes, that's a problem, but not a loophole. I'm not a lawyer, but as far as I can see, nothing in the license prohibits using the software to perform a service, and then charge for the service. As long as you make the source code available so that others can provide the same service, it's not in violation.
(b) You take any GPL software, make substantial changes to it, and "rent" the appliance to your customers. You're not obligated to give the source code to your customer.
You don't rent software, much in the same way you don't rent an idea. (You could "license" use of it, but that is clearly forbidden by the GPL license.) Software can be copied. You can not charge for the software, or any derivative of it. The appliance enables the software to function. It's hardware. Surely you can rent hardware. You can even sell hardware! As long as the software is free. The point is that if I don't want to buy or rent the product, I can always get the software for free and run it myself. That *precisely* why you would offer someone Nessus for free, so that they don't buy or rent it from the competition. On one hand you have the software, free, in the other hand you have product that contains the software, and perhaps even comes with support. The fact that some people pay money for the appliance with support instead of asking for a free copy of the software is nothing you can prevent, and is not governed by the GPL.
(c) You take any GPL software which produces content, and wrap a web- based management GUI which does not link to it per se, but uses the results. Now the GPL is very fuzzy about the output of the program. It actually says the following :
<< The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a **work** based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. >>
Yup, it is indeed fuzzy. Section 2b says: "b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License." One might think that "work" is any result of using the software. But I don't think that's the case. The license says: "3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: [...] The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable.[...]" While work is not explicitly defined, it appears that "work" is a program that is based on the original (new code, a GUI wrapper perhaps) or includes the original (as in inclusion/use like a library/subscript). Work does not mean "printout" or (specifically in your case) a PDF of printed results of a vuln scan. That's exactly why it refers to "running program". A GUI wrapper around original work, that hides the original, is forbidden (unless the original is interactive in which case the original is visible to the user). But the results (a sorted table of data for example) is not a "work" and thus not protected. I don't think the GPL prohibits people from *using* Nessus and charging for the act of using it and creating reports from it. The GPL would prohibit someone from sticking Nessus on an appliance "and *not providing* the source code, appliance config, scripts, and other derivatives" of Nessus. But they can certainly sell you the appliance and give you Nessus for free on top of the appliance, or use Nessus to provide a service. As long as the client has the ability to receive the same program free of charge from you to perform the service himself, there should be no GPL violation. Remember, the GPL is to prevent oppression of free software through intellectual property claims, trademarks or patents. The tricky question at hand is: If Nessus 3 is a work/derivative of Nessus 2, aren't you required to comply with the GPL and keep the derivative free of charge too? Only a complete rewrite (including not using old libraries you wrote for Nessus 2) would seem to allow for a change of license. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Sourcefire Acquired by Check Point Software, (continued)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Ron Gula (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 07)
- RE: Sourcefire Acquired by Check Point Software Cedric Blancher (Oct 08)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 09)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 09)
- RE: Sourcefire Acquired by Check Point Software Dave Korn (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- RE: Nmap/Nessus copyright C. Church (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)