Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Call to participate: GNessUs security scanner
From: Barrie Dempster <barrie () reboot-robot net>
Date: Tue, 11 Oct 2005 13:30:38 +0100

On Mon, 2005-10-10 at 22:07 -0400, security curmudgeon wrote:
All that said, my questions: Why do you see a need to fork the Nessus tree 
at this time? Why haven't you or anyone else contributed in the past? 
Finally, do you think that if more people supported Nessus with 
contributions of code/time/enhancements, that they would have kept things 
the same?

Very good questions here. Their main concerns appear to be the lack of
input from the community to the project and the fact that people sell
services and appliances based on Nessus, from what I've seen Ron Gula
say. Closing the source does *nothing* to address these problems. Since
Tenable are ultimately in control of the project, if they wanted to see
more participation then surely they could have tried asking first.
Making an announcement like this without any discussion does not show
them to be receptive to the help they complain didn't exist (they may
be receptive but this particular act doesn't demonstrate that). 

Many OSS projects are elitist and won't accept outside help also
security guys are notoriously arrogant, not saying that Nessus fit this
bill, but how do we know the Nessus developers need help if they don't
ask for it. Being OSS is great but you have to augment that with an
invitation for help if that is required to make the project a success.

Take attrition.org as an example of a project that needed help (not as
an example of OSS ;-). No one knew that they needed help (apart from
noticing the lack of updates) until a request was made publicly for
such help. Now there are people contributing to something because they
have found it useful in the past and want to keep it alive. Tenable
could have tried this tactic, if soliciting help was their main
concern. When the OSVDB needs a push to get work done what do you do ?
send mails asking people to move and thanking them for the effort.
Sadly some of us ignore these pleas because we just can't commit at the
time - but people do answer them and the job gets done.

Now that Nessus has the spotlight people such as the OP
(timb () gnessus org) are stepping up to offer something, disregarding any
personal gain reasons these guys are obviously interested in the
continuation of this project, enough so to take on the responsibility
for a fork. They *may* have done this if it was directly asked for,
then again they may not have but surely it is a logical first step to
try.

As for closing the source to prevent it being bundled, that makes no
sense at all. If the license was changed but the source code left
available, Tenable could legally require vendors to have permission to
bundle the software keeping the source open and achieving their goal.
Closing the source doesn't do anything to achieve this, Nessus can
still be bundled without the source. The fact that Nessus has been
bundled with an appliance has no relation to the availability of
source. It's a _licensing_ issue. There is nothing from a technical
standpoint stopping these same vendors bundling Nessus 3. Come to think
of it, no one bundles with source anyway, if they did then Tenable
wouldn't complain as they would be fully credited.

Tenables Complaints:

1. Competition bundle *compiled binaries* of our application - solution:
take away the source code and provide them with the binaries. Makes
no sense.

2. No one contributes - solution: take away the source code, now
they *can't* contribute. Makes no sense.

The real solution for point one could be licensing change, regardless of
source being available or not. Getting people to follow the license is
another battle, but closing the source doesn't prevent people bundling
the binaries that they have always been bundling.

The real solution for point two could be *ask for help!*


These reasons for closing the source don't add up. Nessus are now
committed to 2 products. This can only mean a decrease in productivity
all round as Tenables staff will have to take time out from working on
Nessus 3 in order to apply any patches submitted to Nessus 2.

Nessus 2 is going to be maintained but not developed, to me this will
eventually make it a useless product. Tenable want us to believe that
they will still maintain it, but obviously Nessus 3 will be higher
priority therefore Nessus 2 will be developed with an inferior model
than it has been previously. This makes it sound like a fork is a good
idea, but with at least 2 forks in planning already this divides the
Nessus community.

I wish Tenable luck in health and business but wished they could be
more honest about their motives here. At present I personally don't
believe their points are viable. (I also choose not to unfairly
speculate on what their real motives could be)


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: signature.asc
Description: This is a digitally signed message part

Attachment: smime.p7s
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault