On Sun, Dec 12, 2004 at 11:13:36AM +0100, Pavel Kankovsky wrote:
> > - The first one, is that the current feed will only contain GPL plugins
> > (ie: currently about 2,000 plugins). This means that the current
> > command "nessus-update-plugins" will continue to work properly, but you
> > will get less plugins than what you can get today, as (as many of you
> > have noticed), plugins released by my company (Tenable) are *not* released
> > under the GPL
>
> What makes the difference between GPL and non-GPL plugins?
egrep -L "script_copyright.*Tenable Network Security".
In other words, all the plugins are under the GPL, except the ones
written by Tenable.
> 2268 containing "Nessus Script Licence" in various spelling variations.
> Hmm...this must be some kind of red herring because I can't find a copy
> of this licence in any copy of Nessus I have. And this herring is a
> pretty old one because two of the plugins in this set are from December
> 2001. <g>
The "Nessus Script Licence" will actually be considered as being the GPL -
many people submitted plugins assuming it would be, it's just fair.
> Hundreds, perhaps thousands, of plugins, including many made by Tenable
> and many made by other parties, have no explicit licence, just a copyright
> notice.
If non-Tenable plugins have no licence, that needs to be fixed.
> Most of them have been released in a tarball with a copy of GPL (and
> nothing else) in its top directory (nessus-plugins-*.tar.gz). Call me
> naive but I would expect you intended to release a file under GPL when
> you yourself put it into a tarball GPL'ed as a whole without any explicit
> licence notice. I find this situation rather confusing.
Actually, some plugins (ie: os_fingerprint.nasl) were already
explicitely released under a non-GPL licence. When people submitted
plugins, I made sure that it was either under the GPL or the "Nessus
Script Licence" (which will be renamed). So the GPL was there as a
reference for the GPL/NSL plugins, but other plugins were already
governed by other licences.
> > So there are three ways to update plugins now :
> >
> > - a GPL feed containing the plugins submitted by the community ;
>
> A question: What happens when "the community" submits a fix or enhancement
> (esp. a substantial fix or enhancement) for a plugin made by Tenable?
The plugin still belongs to Tenable in that case. However, if the
community submits a fix, the plugin is already available for everyone to
use.
> In my humble opinion the answer to this question should be considered
> carefully because I think it would be rather unfortunate if the result
> was a *disincentive* to contribute fixes and enhancements to these
> plugins.
>
> In my even more humble opinion, the things should be set up in way
> discouraging parasitism on one hand while encouraging support of the
> project (both in the form of money and in the form of work) on the other
> hand.
I think we've reached that balance. We write plugins, and they're
available for free. Some people will be turned away from submitting
patches because they consider that anything non-GPL is an abomination
before God, and I'll be sorry to loose these contributions. At the same time,
there are dozenS of companies practicing "parasitism" today (just do a
google search for "Vulnerability Assessment" and look at all the ads on
the side). Hopefully, we'll loose some of them too.
-- Renaud
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
