RE: Nessus no longer open source
From: Ted Mittelstaedt (tedm_at_toybox.placo.com)
To: <firstname.lastname@example.org>, <email@example.com> Date: Thu, 6 Oct 2005 12:57:59 -0700
This happened with the SAINT scanner also, however they didn't have the
decency to keep an older release train going under GPL. SAINT was a
rework of SATAN which was released open source, making that a
bitter pill. I believe when SAINT did this, that was what gave the
Nessus to become popular.
Security scanning as an esoteric field and not a lot of people are true
however there's a huge demand for it from some very deep pockets. Thus
this kind of thing is inevitable.
One of the duties of the OSS market is to serve as a spawning ground for
commercial software packages. There was a huge amount of commercial
software born from the BSD code, and in fact a number of the BSD
utilities made it into Windows - including their BSD copyright notices in
Consider also that the military would almost certainly not want to use an
open source scanner because that gives the enemy a list of what
you know about, and what ones you possibly don't. I can think of a
of other deep pockets like VISA that are the same way. Closing the
for Nessus 3 will open it up to consideration by a number of customers
would have been prevented from using it. Almost certainly the research
vulnerabilities that go into Nessus 3 will trickle into Nessus 2
this move, far from being a blow to OSS, actually strengthens it. If you
to bitch about something then bitch about SAINT.
>[mailto:firstname.lastname@example.org]On Behalf Of Gayn Winters
>Sent: Thursday, October 06, 2005 9:04 AM
>Subject: Nessus no longer open source
>One of the highest rated open source security programs, nessus, will no
>longer be open source. Quoting from an email from Renaud Deraison
><email@example.com> to firstname.lastname@example.org,
>"Nessus 3 will be available free of charge, including on the Windows
>platform, but will not be released under the GPL.
>"Nessus 3 will be available for many platforms, but do understand that
>we won't be able to support every distribution / operating system
>available. I also understand that some free software advocates won't
>want to use a binary-only Nessus 3. This is why Nessus 2 will
>continue to be maintained and will stay under the GPL."
>I'm not sure if Nessus 3 will be supported as a FreeBSD package.
>Apparently the folks at Tenable feel that they have been supporting the
>open source community but have been getting little back in plug-ins and
>vulnerabilities and virtually nothing back on the scanning engine for
>over six years. In fact, they have been slowly tightening their
>it would appear that they can and will continue to tighten it over time.
>(http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html) is that
>the open source community should take heed. He provides a list of ways
>to contribute to open source software projects. While the list is
>excellent, there are no new ideas in it. The thing that seems germane
>to the FreeBSD community is that ports, even extremely popular ones, are
>vulnerable, since under the GPL the AUTHOR of the code is not bound by
>the same restrictions that the users are. I'm not a lawyer, but as I
>understand it, the author can create a derived work of something under
>the GPL and license the derived work (a "rewrite" in the case of nessus
>3) and arbitrarily restrict it. Given Renaud's claim that no one
>contributed to the scanning engine, he seems to have every right to
>create a new and closed version of it.
>The moral here, if there is one, is that if you really like a port, then
>you should contribute to it one way or another!
>email@example.com mailing list
>To unsubscribe, send any mail to
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date:
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"