Re: Sourcefire Acquired by Check Point Software

[Frank Knobbe <frank () knobbe us>]

On Sat, 2005-10-08 at 20:59 -0700, Renaud Deraison wrote:
> There are several loopholes on many levels :

The GPL is specifically written to ensure that the software is free to
all users. Quote: "When we speak of free software, we are referring to
freedom, not price."

> (a) You can take any GPL software, put it as-is on an appliance, call  
> your appliance the "FOOBAR 3000" and sell FOOBAR 3000 Scanners all  
> over the place. You therefore hide any credit to the original program  
> you took and nobody knows that your FOOBAR 3000 is using (Nessus| 
> Snort|.*)

Yes, that's a problem, but not a loophole. I'm not a lawyer, but as far
as I can see, nothing in the license prohibits using the software to
perform a service, and then charge for the service. As long as you make
the source code available so that others can provide the same service,
it's not in violation.

> (b) You take any GPL software, make substantial changes to it, and  
> "rent" the appliance to your customers. You're not obligated to give  
> the source code to your customer.

You don't rent software, much in the same way you don't rent an idea.
(You could "license" use of it, but that is clearly forbidden by the GPL
license.)
Software can be copied. You can not charge for the software, or any
derivative of it. The appliance enables the software to function. It's
hardware. Surely you can rent hardware. You can even sell hardware! As
long as the software is free. The point is that if I don't want to buy
or rent the product, I can always get the software for free and run it
myself. That *precisely* why you would offer someone Nessus for free, so
that they don't buy or rent it from the competition.

On one hand you have the software, free, in the other hand you have
product that contains the software, and perhaps even comes with support.
The fact that some people pay money for the appliance with support
instead of asking for a free copy of the software is nothing you can
prevent, and is not governed by the GPL.

> (c) You take any GPL software which produces content, and wrap a web- 
> based management GUI which does not  link to it per se, but uses the  
> results. Now the GPL is very fuzzy about the output of the program.  
> It actually says the following :

> << The act of running the Program is not restricted, and the output  
> from the Program is covered only if its contents constitute a **work**  
> based on the Program (independent of having been made by running the  
> Program). Whether that is true depends on what the Program does. >>

Yup, it is indeed fuzzy. Section 2b says:
"b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any part
thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License."

One might think that "work" is any result of using the software. But I
don't think that's the case. The license says:
"3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
[...]
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source code
means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to control
compilation and installation of the executable.[...]"

While work is not explicitly defined, it appears that "work" is a
program that is based on the original (new code, a GUI wrapper perhaps)
or includes the original (as in inclusion/use like a library/subscript).
Work does not mean "printout" or (specifically in your case) a PDF of
printed results of a vuln scan. That's exactly why it refers to "running
program". A GUI wrapper around original work, that hides the original,
is forbidden (unless the original is interactive in which case the
original is visible to the user). But the results (a sorted table of
data for example) is not a "work" and thus not protected.


I don't think the GPL prohibits people from *using* Nessus and charging
for the act of using it and creating reports from it. The GPL would
prohibit someone from sticking Nessus on an appliance "and *not
providing* the source code, appliance config, scripts, and other
derivatives" of Nessus. But they can certainly sell you the appliance
and give you Nessus for free on top of the appliance, or use Nessus to
provide a service. As long as the client has the ability to receive the
same program free of charge from you to perform the service himself,
there should be no GPL violation. Remember, the GPL is to prevent
oppression of free software through intellectual property claims,
trademarks or patents.

The tricky question at hand is: If Nessus 3 is a work/derivative of
Nessus 2, aren't you required to comply with the GPL and keep the
derivative free of charge too?
Only a complete rewrite (including not using old libraries you wrote for
Nessus 2) would seem to allow for a change of license.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part