StillSecure Rejects Terms Of GPL

Thomas Ptacek | June 2nd, 2007 | Filed Under: Uncategorized

Shimel, who really ought to shut up about the licenses on the open source packages his company routinely pillages, on GPLv3:

Of course then there will be the Thomas Ptacek’s of the world, who don’t care what the lawyers or courts say and believe that if you at all package GPL licensed software with your software, your software should be free too.

Stallman, who really ought to talk more about the open source licenses he is the architect of, on the GPLv3:

both GPLv2 and GPLv3 are copyleft licenses: each of them says, “If you include code under this license in a larger program, the larger program must be under this license too.”

Why do I care? Because companies like StillSecure are driving open-source projects “underground”, into proprietary licenses. Wow, that sucks.

Shimel is whoring for blog hits on this issue. In this case, I’m happy to oblige. Can your company explain what you’re giving back to the projects you’re exploiting?

Viewing 26 Comments

    • ^
    • v
    That's interesting. I can't find where Shimel is wrong in that brief quote, nor can I find where Stallman is wrong, either. GPL V2 (I haven't read v3) simply states that you must be open if you ship code that is "based on" the work. I appreciate the simplicity of the GPL, I don't find that "based on" term particularly defensible for either perspective. I've thought for the longest time that the GPL "contract" is boarderline unconscionable, and discussions like this are simply a symptom of that purposeful vagary.

    Let me make sure I understand. From your standpoint, if Checkpoint wants to make an appliance that uses their closed source Security Widget software, and they use "GNU/Linux" as the OS for that appliance, they then have to open the source for their Security Widget software?

    I'm also interested to know what exactly you're accusing StillSecure of. "Driving projects underground" sounds wonderfully sensationalist, but what exactly do you mean?

    Do you have details on the perceived infringement (http://www.gnu.org/licenses/gpl-violation.html)?

    If you haven't already, when do you plan to report StillSecure to license-violation@gnu.org?
    • ^
    • v
    Are the Shimel and Stallman links reversed for some irony that I'm not picking up on?

    But I see you have now conceded my point that Snort is no longer really GPL.

    So who cares if StillSecure uses Snort? If they change the Snort code, they will give that away right? It's Sourcefire that cares. Marty and company picked the GPL, and now they've got the open source remorse. Sourcefire doesn't want anyone to commercialize it *but themselves*.

    Sure, it's their code, who is more deserving of commercializing it, right? Fine. But why did they pick the GPL then?

    So who's the bastard who took your GPL Snort, Nessus, and nmap away from you? Is it the Companies that compete with the commercial versions of those projects with their own code? Or is it those companies themselves that sucked up all the GPL goodwill, and now want to be the only ones to capitalize on it?

    Did they drop the GPL because they don't like competition? Did they drop it because "no one was contributing back"?

    What did they have to do to be able to re-proprietize the code? They had to drop or swipe all the contributions from everyone else who thought they were contributing to a project that was GPL. Way to encourage contributions.

    So who exactly are the ones screwing up the GPL?

    Also, when you say "your company" are you talking to StillSecure, or all of us? My company BigFix has licensed nmap from Fyodor under his proprietary license.
    • ^
    • v
    Can you say latecomer? Alan needs a history lesson in GPL and what it means by derivative works.
    • ^
    • v
    To clarify, I'd like to see a certification that StillSecure has not changed a single line of the Snort code since I haven't seen any patches from them hitting the Snort repository, right?

    If Alan's changed even a single line of Snort code, added his own, linked with the executable, etc., he's already in trouble even without Marty's interpretation of the Snort license. But that's not the case, right? Of course he's being honest in claiming only the "installer is derived work" interpretation affects him, right?

    But then what are StillSecure customers buying if it's a bone-stock Snort distribution packaged into a nice installer?
    • ^
    • v
    Sourcefire should just pucker up and give Snort a TRUE dual license, or change the license completely to clearly document how Snort can and cannot be used rather than rely on GPL clarifications.

    Then I hope to see a fork, preferably as a collaboration of independent developers as well as vendors that make use of Snort and Bleeding to step up and be the official ruleset.

    Hmm, maybe I'll do this with Snort 2.6 as a base.. I'll call it blow, or pigfuqer... Blog about it if interested.
    • ^
    • v
    I'm not sure how I conceded that Snort, which is clearly licensed under the GPL, isn't GPL'd.

    Look, it's this simple: if you pick up GPL source and use it in your products, you are obligated to propagate your changes to that product back upstream. There are companies that don't honor this term.

    If you build a product around GPL source --- for instance, as the detection engine in an "IPS" --- you are obligated to license your own product with the GPL. There are companies that don't honor this term.
    • ^
    • v
    Face it Thomas -- the gpl is dead, and version 3 is not going to help.

    There are so many companies routinely violating it that its intrinsic value is fading off like crazy. That has nothing to do with sillsecure, but with the it industry as a whole. Look at the number of network printers embedding samba for instance -- how many vendors let you know about it ? When was the last time you bought a device with a sticker saying that it contains GPL software ? (apart from linksys which has been strongarmed into doing so).

    Thanks to all these companies, gpl software is no better than public domain, in spite of what the license says. Look at BigFix's Ryan Russel here on your blog : he considers that gpl software is being developped so that other companies can resell it -- as if that was the sole goal !

    Of couse you can find exceptions -- the linux kernel is actively getting contributions from the big 5 it vendors out there for instance, but that's because they decided that it was in there best interest not because they give a damn about the gpl. how many appliances out there contain the kernel and let you know about it ? same question for samba, the shell tools, busybox, perl, etc...


    So stop beating that dead horse ! When you buy ofts products with gpl software in them, don't expect to see the source code and don't expect your money to contribute to any of that software.
    • ^
    • v
    Nigel, not sure it's going to be productive to debate the meaning of the GPL with someone who doesn't even believe in the merits of the GPL.

    I think this is pretty simple: if you want to allow companies to build proprietary products off your code, you BSD or MIT license it. If you are concerned that people are going to hijack your code and make proprietary, non-free extensions to it, you use the GPL. THAT IS THE WHOLE POINT OF THE GPL.

    Your example is specious. Shipping a product on Linux, without modifying or extending Linux, is "conveying an aggregate" --- a package --- and it's specifically, explicitly allowed in both versions of the GPL, because without that exception, you couldn't ship Linux distributions with non-GPL software on it.

    Writing C code that extends, modifies, or repurposes Snort and then selling that as a proprietary, non-free IPS product is different than simply packaging Snort on a Linux box.

    SourceFire doesn't need my help enforcing their license, for what it's worth.
    • ^
    • v
    It all depends on how you USE the GPL piece of software. There are cases that don't require you to GPL your product, the GPL allows for this, and the GPL FAQ helps clear it up for many users. Some Snort integrators actually fall into this case, and others clearly don't.

    "Writing C code that extends, modifies, or repurposes Snort and then selling that as a proprietary, non-free IPS product is different than simply packaging Snort on a Linux box."

    But that is how some of these products do it..

    We should be more concerned about those that use Snort as an engine that don't publicize it. You are more likely to find real violations there.
    • ^
    • v
    If you extend Snort --- for instance, to make it do some kind of post-admission NAC pet trick --- you've just created an open-source GPL'd NAC solution. Congratulations! Publish your code now please.
    • ^
    • v
    Joe,

    If this discussion is a "dead horse" (and it's hardly dead) tom's not the one beating it. I'd say you're just on the wrong end of the horse.

    Linksys has certainly been debated up and down. But just remember you're the one that invoked that name ;). That said... lets talk about linksys...


    Trying to paint Linksys as a fringe case is misleading if not outright backwards in the context of statements proclaiming the death of the GPL.

    First off, there are quite a number of companies besides Linksys that have adopted distributing GPL derived software for their embedded systems. Others include Asus, Netgear, and Dlink just to name a few other names in the consumer router product space.

    These are all examples of the GPL being upheld and the results have hardly led to a decline. Instead they should serve as case examples for all newcomers of why not to violate, and what's to be gained by honoring.

    -Eric
    • ^
    • v
    Allow me also to also use Linksys as an example for a counterpoint. I know... been covered up and down. But here we are again and this needs to be said.

    First off, calling it "strong-arming" is at best, another half truth.

    It's pretty widely viewed that the Linksys product line as a whole greatly benefited once they did better by the GPL.

    After Linksys and others came out of the closet, they seem to have realized they could further leverage GPL code and opensource participation. Even do so with a clean conscience!

    It happens that around the same time, SOHO router products suddenly implemented a lot of new features like file sharing, media services. The list goes on.

    There have certainly been a few more GPL bumps in the road, but overall, everybody has been better off.

    Another interesting note: Around the time Linksys was acquired by Cisco, the famous WRT54X product-line was, for some reason, revamped to use vxworks on a significantly less robust hardware platform than its GPL predecesors. Speculations on the internal Cisco/Linksys business reasons for this move aside, suffice to say that doing so not only lost them alot of the cred in their brand new opensource following, but doubled to cripple what had previously become a very successful product line.

    Not only were the vxworks based WRT54X'en... well, kindof lame, but shortly after they came out they started coming up with security holes that were strikingly similar to those that had been fixed years before in their older siblings. Funny that.

    Some advice:
    If you're out shopping for a new broadband router, do some homework and make sure you're looking at an older rev of the WRT54. If you cant find one, just buy another Linksys, Buffalo, Netgear or Asus that is still based on the GPL firmware. That is, unless you want to find yourself hitting reset every few days.

    I happen to have a bunch of the newer WRT's laying around in various states of brokenness and hackage. All freebies from helping friends and family replace these turds with better devices.

    Actually, I don't think a better advert FOR the GPL can be cited than the story of these companies' embedded Linux-based devices and the events that led to them honoring their GPL obligations.

    Be more careful who's name you invoke on your GPL death sentence next time.

    -Eric
    • ^
    • v
    Like I've been saying. The GPL is a very complicated license. I don't think most people understand it, I know I don't.
    • ^
    • v
    Tom: You said "Because companies like StillSecure are driving open-source projects “underground”, into proprietary licenses." I ASSumed that means you now believe that Snort is under a proprietary(-ish) license. I may have read too much into that, I guess.
    • ^
    • v
    WTF? Snort's not GPL anymore? First I've heard of it. Did I miss something?
    • ^
    • v
    I had no idea that nmap was under a "clarified" GPL until just now. I would agree with Ryan that, at least in the nmap case, the license is no longer really GPLv2.

    The packaged installer, I'm not sure about one way or another - but the thing that really breaks it IMHO is the restriction against interpreting output.

    Now, the license says that something as basic as piping that output to an XML parser, and doing something useful with it - say, making SQL commands to put the data into a historical database - constitutes a derived work.

    Nmap has an option to produce XML output. That's precisely what XML is for - so you can easily process output data without creating a derivative work. So, the option to produce XML output is almost a trap (yes, I realize I'm using loaded language there).

    Someone could later make a program that produces exactly the same XML output, but obtains the data in a way that is somehow usefully different - again, the whole point of XML. Then what original is your XML-parsing database widget derived from? Can it be called a derivative work of a work that didn't even exist at the time the parser was written? Under this "clarified" GPL, it might well be.
    • ^
    • v
    > To clarify, I’d like to see a certification that StillSecure has not changed a single line of the Snort code since I haven’t seen any patches from them hitting the Snort repository, right?

    If they modified Snort, they don't need to tell anyone, besides the people they sell it to.

    What they need to do is to make the source code of whatever Snort component they have available to their customers. Whether or not they StillSecure has modified Snort, the source they give to their customers has to compile to the same Snort they were given in binary format.

    In addition, their customers cannot be prohibited from redistributing the code to others.

    This means that anyone can buy a StillSecure box, ask for the source, get it, and then publish it on a mailing list.

    Note that this only applies to what they changed in Snort. If they wrapped a proprietary installer around it, the stock GPL license allows that. (I know that SourceFire wishes that the GPL were more restrictive than that, but it isn't. Just like StillSecure wishes that the GPL were *less* restrictive than it actually is.)
    • ^
    • v
    Hi There,

    Thomas I agree GPL is mess.

    I normally find your posts intelligent and well thought out, this one however, seems to read like you woke up on the wrong side of bed and decided to take it out on someone.

    Laying into a company like StillSecure when they offer a freeware version of their commercial
    IDS/IPS that makes snort easier for the common user (and pay for a license to sourcefire) is totally unfair anger. Geez go after a company that doesn't offer a free version and in your view would be 'above the devil' for what they do to GPL maybe look at McAfee, ISS (older versions), Securify, etc.

    It's like laying into Apple for making BSD easier.

    APPLE - open source lovers - BSD, Apache, Samba, OpenLDAP, etc....does it give back? Yes updates to the BSD kernel, great GUI, easy to use, does Apple grab every open source out there that would make Apple's job easier - YES! Do people complain No - cause we like Apple. Do they give back ALL GPL open source code changes..I would probably guess the answer is No.

    Alan has given a lot to the security community and snort community. Attacking him/StillSecure with harsh statements instead of a rationale debate doesn't make sense.

    Your better than this.

    I have presumed you have read Alan's blogs, his a very objective. Calling Alan a bad person is a little daft.

    Heck as for open source going to make people money - it's everywhere and your not going to be able to stop it...[Well as far as I am aware you don't control the Internet :) ]

    Firefox was open source now it's firefox.com as it makes money
    Snort --> Sourcefire (snort out of the box for an end customer is only good for network security geeks not good for the normal guy on the street)
    Asterisk --> trixbox, etc
    ...the list goes on and on!

    So my advice - take it as you will - say sorry for your venting your frustration of GPL out on StillSecure (who try to do the right thing) and that you want to have a rational dialogue / debate on GPL not directed to one firm.

    If instead if this is purely a personal issue then call it so
    • ^
    • v
    Marty: "WTF? Snort’s not GPL anymore?"

    I think maybe it's not entirely, no.

    Two questions: Are there any circumstances where my GPL code goes into Snort, and I can no longer force someone distributing binaries to give me their source? And, can I fork the current Snort and redistribute it with a plain vanilla GPLv2 license?

    If the answer to either of those is no, then I'm calling it not entirely GPL.
    • ^
    • v
    If Still Secure made their source code available only to their customers on demand, would they be even ?

    What we really need is a comprehensive list of do's and dont's accompanying each license type.
    • ^
    • v
    @john bertrand:

    Apple does publish the modifications -- without listing the working groups they are part of (ie: GCC), have a look at :

    http://www.opensource.apple.com/darwinsource/
    • ^
    • v
    > Are there any circumstances where my GPL code goes into Snort, and I can no longer force someone distributing binaries to give me their source?

    If your GPL code goes in, then the rest of the program is GPL. You can only "force" someone to give you their source if they also give you their binary. (Or you could get the source from someone else who got a binary and then demanded the source.)

    > And, can I fork the current Snort and redistribute it with a plain vanilla GPLv2 license?

    Yes, but you probably cannot call it Snort.
    • ^
    • v
    "Nigel, not sure it’s going to be productive to debate the meaning of the GPL with someone who doesn’t even believe in the merits of the GPL."

    Oh, I believe in the merits of the open source licensing, that's not an issue. It's just that in a previous life I dealt with security products that ran on Linux and inter operated with other GPL software, and as such, can understand the point of view of those who wonder if some judges might interpret the language of the license differently than Mr. Stallman.

    "I think this is pretty simple: if you want to allow companies to build proprietary products off your code, you BSD or MIT license it. If you are concerned that people are going to hijack your code and make proprietary, non-free extensions to it, you use the GPL. THAT IS THE WHOLE POINT OF THE GPL."

    Uh, yeah. Don't know what this has to do with my post, thanks for the primer. Not sure I needed it, been dealing with open source license issues probably for longer than you have, but thanks.

    "Your example is specious. Shipping a product on Linux, without modifying or extending Linux, is “conveying an aggregate” — a package — and it’s specifically, explicitly allowed in both versions of the GPL"

    Really? Maybe you could find this "conveying an aggregate" term for me: http://www.opensource.org/licenses/gpl-license.php

    "Writing C code that extends, modifies, or repurposes Snort and then selling that as a proprietary, non-free IPS product is different than simply packaging Snort on a Linux box."

    Yes, yes it is. Is this what you're accusing StillSecure of doing? Again, if you are, then are you going to release documentation (http://www.gnu.org/licenses/gpl-violation.html)?

    Seriously, stop being "Matasano-Sensationalist" for once make an effort to be forthright and carefully specific.
    • ^
    • v
    Dan: Good points, but I was getting at something specific. The new Snort license claims that under some circumstances, SourceFire will take people's code, and sell it under a proprietary license. And I'm wondering if this SourceFire-favorable license now has to follow the Snort code around, or if a GPL fork is still possible.

    Also, to no one in particular, I gathered some of the thoughts I have been posting here in the comments into my own entry:
    http://ryanlrussell.blogspot.com/2007/06/open-s...
    • ^
    • v
    Stallman is not the architect of any "open source" licenses. Stallman never coined the term open source and severely dislikes it. If you think he should talk more, you should probably talk less being the big mouthed "I know it all" you are.

    In case you can't read the license says "under a larger program". Not the nonsense that you're saying if you "build a product around" "GPL code" you have to whatever. Or "if you pick GPL source and use it in your products". What does "use" mean? What does "around" mean? If you sell a book that contains GPL code? If you bundle a bunch of GPL programs with your code? It would be perfectly legal to have your proprietary program call another GPL program in your packaged application. It would perfectly legal to have a proprietary installer, packaging, etc. Just because some router uses Linux as its embedded OS doesn't mean that the firmware should be open source.

    You should seriously consider dropping your arrogant attitude. You would be a happier person and your blog would be nicer to read.
    • ^
    • v
    I'm sorry we're not writing well for you. If you'd like, we can recommend other blogs!

    Of course it's OK to execute GPL'd programs from non-GPL'd programs. What's not OK is incorporating GPL code into your own programs. That is the entire point of the GPL.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus