| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Oct 11 18:07:31 2005 From: barrie at reboot-robot.net (Barrie Dempster) Subject: Call to participate: GNessUs security scanner On Mon, 2005-10-10 at 22:07 -0400, security curmudgeon wrote: > All that said, my questions: Why do you see a need to fork the Nessus tree > at this time? Why haven't you or anyone else contributed in the past? > Finally, do you think that if more people supported Nessus with > contributions of code/time/enhancements, that they would have kept things > the same? Very good questions here. Their main concerns appear to be the lack of input from the community to the project and the fact that people sell services and appliances based on Nessus, from what I've seen Ron Gula say. Closing the source does *nothing* to address these problems. Since Tenable are ultimately in control of the project, if they wanted to see more participation then surely they could have tried asking first. Making an announcement like this without any discussion does not show them to be receptive to the help they complain didn't exist (they may be receptive but this particular act doesn't demonstrate that). Many OSS projects are elitist and won't accept outside help also security guys are notoriously arrogant, not saying that Nessus fit this bill, but how do we know the Nessus developers need help if they don't ask for it. Being OSS is great but you have to augment that with an invitation for help if that is required to make the project a success. Take attrition.org as an example of a project that needed help (not as an example of OSS ;-). No one knew that they needed help (apart from noticing the lack of updates) until a request was made publicly for such help. Now there are people contributing to something because they have found it useful in the past and want to keep it alive. Tenable could have tried this tactic, if soliciting help was their main concern. When the OSVDB needs a push to get work done what do you do ? send mails asking people to move and thanking them for the effort. Sadly some of us ignore these pleas because we just can't commit at the time - but people do answer them and the job gets done. Now that Nessus has the spotlight people such as the OP (timb@...ssus.org) are stepping up to offer something, disregarding any personal gain reasons these guys are obviously interested in the continuation of this project, enough so to take on the responsibility for a fork. They *may* have done this if it was directly asked for, then again they may not have but surely it is a logical first step to try. As for closing the source to prevent it being bundled, that makes no sense at all. If the license was changed but the source code left available, Tenable could legally require vendors to have permission to bundle the software keeping the source open and achieving their goal. Closing the source doesn't do anything to achieve this, Nessus can still be bundled without the source. The fact that Nessus has been bundled with an appliance has no relation to the availability of source. It's a _licensing_ issue. There is nothing from a technical standpoint stopping these same vendors bundling Nessus 3. Come to think of it, no one bundles with source anyway, if they did then Tenable wouldn't complain as they would be fully credited. Tenables Complaints: 1. Competition bundle *compiled binaries* of our application - solution: take away the source code and provide them with the binaries. Makes no sense. 2. No one contributes - solution: take away the source code, now they *can't* contribute. Makes no sense. The real solution for point one could be licensing change, regardless of source being available or not. Getting people to follow the license is another battle, but closing the source doesn't prevent people bundling the binaries that they have always been bundling. The real solution for point two could be *ask for help!* These reasons for closing the source don't add up. Nessus are now committed to 2 products. This can only mean a decrease in productivity all round as Tenables staff will have to take time out from working on Nessus 3 in order to apply any patches submitted to Nessus 2. Nessus 2 is going to be maintained but not developed, to me this will eventually make it a useless product. Tenable want us to believe that they will still maintain it, but obviously Nessus 3 will be higher priority therefore Nessus 2 will be developed with an inferior model than it has been previously. This makes it sound like a fork is a good idea, but with at least 2 forks in planning already this divides the Nessus community. I wish Tenable luck in health and business but wished they could be more honest about their motives here. At present I personally don't believe their points are viable. (I also choose not to unfairly speculate on what their real motives could be) -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051011/9cf42453/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1859 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051011/9cf42453/smime.bin
Powered by blists - more mailing lists