[Snort-users] Fwd: What's up with Snort's license?
roesch at ...1935...
Wed Jul 18 15:34:15 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Alan Shimel asked me to forward this to the list.
Begin forwarded message:
> From: "Alan Shimel" <alan at ...13458...>
> Date: July 18, 2007 3:30:28 PM EDT
> To: "Martin Roesch" <roesch at ...1935...>
> Subject: FW: [Snort-users] What's up with Snort's license?
> This bounced to the list because I think it is under my old mail
> address. Can you post it to the list?
> -----Original Message-----
> From: Alan Shimel
> Sent: Wednesday, July 18, 2007 3:21 PM
> To: 'Martin Roesch'; Snort Users
> Subject: RE: [Snort-users] What's up with Snort's license?
> Thanks for the clarification. I wanted to clarify a few things myself.
> 1. I in my blog or anywhere else never claimed that Sourcefire was
> taking Snort out of open source. My claim and I stand by it, is
> that by
> putting your "clarification" of the GPL in on the 3.0 stuff, you are
> changing the GPL and it is no longer licensed under the "GPL" as we
> our attorneys interpret it. Does that make it not open source? I
> leave that to others. My personal opinion is that you do not need
> a GPL
> license to be open source (but that is another matter). You choose
> license you want to use. I just say it is not GPL anymore, it is
> Marty's GPL version.
> 2. Other companies using Snort. Marty what kind of support would you
> like? I feel that here you are not being quite as "open" as you would
> like us to believe. Do you mean that you want companies like
> to contribute to developing and supporting snort or do you mean if you
> had your druthers you would prefer no other commercial entity uses
> to "compete" against you. If it is you want us to help support Snort,
> we are ready, willing and able. If you are using the open source
> license (gpl or otherwise) as a shield to prevent other companies from
> competing with sourcefire though, that is another story and you should
> just say so.
> 3. Changing peoples licenses and IP assignments - I think you realize
> the issues involved there and doing it in haste is not always the best
> way, but you apologized and that is enough for me. IP assignment is a
> case of buyer beware. But think about this, what message do you
> send to
> the developer community. You want people to help support snort but
> are going to "own" what they contribute. Not very inviting, but at
> you are upfront about it.
> All of that being said, I am looking forward to sitting down with you
> and Wayne and trying to work out a licensing agreement that makes
> for everyone.
> Alan Shimel
> Chief Strategy Officer
> O 303.381.3815
> C 516.857.7409
> F 303.381.3881
> StillSecure, After All These Years
> The information transmitted is intended only for the person
> to whom it is addressed and may contain confidential material.
> Review or other use of this information by persons other than
> the intended recipient is prohibited. If you've received
> this in error, please contact the sender and delete
> from any computer.
> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net
> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Martin
> Sent: Wednesday, July 18, 2007 2:49 PM
> To: Snort Users
> Subject: [Snort-users] What's up with Snort's license?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi everyone,
> I posted this message on my blog a few minutes ago, please read it
> and let me know what you think if you're interested in Snort
> licensing issues.
> - --
> There have been a lot of questions and speculation about the things
> we (Sourcefire) have been changing in Snort's licensing recently and
> it needs to be addressed so that we can clear the air.
> There are three things that people have been asking questions about
> or having issues with.
> 1) GPL v2 lock that we put in place on June 29th.
> 2) "Clarifications" in Snort's license language (Snort 3.0).
> 3) "Clarifications" with regard to assignments of ownership for
> contributed code (Snort 3.0).
> Let me address these issues in order.
> 1) GPL v2 lock.
> Here's what happened. About 3 weeks ago I got a heads up that under
> GPL v2, a licensee can choose to use GPL v3 if we don't specify what
> version of the GPL to use; conceivably we could have people forking
> and changing license on us. Seeing as GPL v3 didn't even "ship" until
> June 29th we didn't feel like we were going to be able to make any
> decision on the language that was contained in the new version until
> we'd had some time to perform a formal legal review. It also didn't
> help that they decided to release on the last day of the quarter.
> Another contributing factor to the decision for me was that Linus
> decided to keep the Linux kernel at GPL v2, that in itself was enough
> to get me to hit the pause button and take some serious time
> reviewing this new license before making any decision. Linus himself
> said "I'm not arguing against the GPLv3. I'm arguing that the GPLv3
> is wrong for _me_, and it's not the license I ever chose." It's not
> the license we chose either and we're not moving to it without a
> conscious decision to do so.
> If we didn't want the code base moving to the new version then what
> could we do? The simplest thing given the time constraints that we
> were working within was just to change the language in the source
> file header preambles (and not the license itself) noting that we
> were specifying Snort at GPL version 2 until we could make a solid
> and informed decision about how we wanted to treat GPL v3.
> For those of you with wholly contributed source files where the file
> headers were changed, many (most/all?) of them referred to "the
> program" as being under an indistinct version number (not just your
> source files) and so rather than try to track everyone down in the
> time frame we had to work with *I* made a unilateral decision to just
> move forward with it and we'd clean up the mess afterwards. I'm sorry
> for the "bull in the china shop" routine but we felt like we needed
> to have this language out there before GPL v3 shipped at noon EDT on
> June 29th. Clearly there were some mistakes made, obviously we
> shouldn't have changed things like the BSD license on the strl* files
> and so on, we'll fix that too. As Victor observed, this was done in
> something of a hurry. BTW, we didn't try to "slip it out on a Friday"
> per the note on some blog, Friday was the deadline and we had to move.
> Where do we go from here? We're going to examine the language in the
> new license and decide if we want to move forward with it. This is
> going to take a while but we'll make an announcement when we make the
> final decision. For those of you who have wholly authored source
> files that would like the language changed for your source files back
> to the original, with the provision that the language reflect that
> you're just referring to your file and not the entirety of the
> program, just let us (me) know and send us the verbage you want and
> we'll make the change. For those of you who object to this sort of
> thing all together that would like to maintain your code as an
> external patch set for Snort instead of in the main source tree, give
> us the heads up and we'll pull your code from the source trees. Once
> again, this is with the provision that we may reimplement the
> capabilities that your code offers as Sourcefire-authored code if it
> happens to be something that we consider important to the project.
> If anyone has any other input I'd be happy to hear it. Contrary to
> what several groups with vested interests seem to be promoting,
> Sourcefire isn't interested in closing Snort's source code or making
> this a closed-source project. The community continues to be important
> to us and we have no plans on that ever changing.
> 2) Snort 3.0 "clarifications" and the GPL
> There has been a fair amount of opinion being put forth by people in
> the blogging world that Snort 3.0 will no longer be "open source" due
> to the clarifications that we put in place. This is just plain wrong.
> Sourcefire produces Snort as an open source project. My interest as
> the guy who started this whole thing and who has worked on and
> advanced this project for closing in on 9 years now has always been
> how good we can make the technology and how well we can serve the
> needs of the community. Now that Snort has my company behind it, the
> priorities really haven't changed but there's an interesting dynamic
> out there with companies that are using Snort as a part of their
> product or service offering. Many of them seem to expect us to work
> on this technology and improve it continuously so that their offering
> is cutting edge but contribute nothing to the project and complain
> bitterly whenever we do something that might cost them some money to
> continue to use a best-of-breed technology like this.
> It's Free as in "Free Speech", not Free as in "Free Money" people!
> Companies that use Snort as part of a service or product seem to be
> having a tough time accepting this. The goal of the new licensing
> language is to define what we consider to constitute conditions under
> which something built on or around Snort is a derivative work subject
> to the stipulations of the GPL (i.e. putting the derivative code
> under the GPL license). Despite all the gnashing of teeth that has
> resulted from this clarification, what we've really done is take
> about the most "open" stance you can with a GPL project and put it
> out there, true open source champions should be applauding us for our
> That didn't happen. Instead we've gotten a litany of grousing from
> the blogerati, primarily because we've offered a commercial license
> for people who don't want to play by the rules of the GPL in their
> product and service offerings that will (*gasp*!) cost money. If
> you're licensing technology from Sourcefire (which all of you using
> the GPL version of Snort are doing) and you don't wish to live under
> the terms of that license, we're giving you another one to choose
> from. If you don't like having world-class security technology
> available for a fee because it affects your cost structure, that's
> not my problem. If you want to use it for free then you have to live
> by the license but people always seem to interpret the GPL in ways
> that are optimally advantageous to them (if they don't just take the
> code directly and bury it in their product). The clarifications we
> put into Snort 3 are there to get us all on the same page and to make
> sure that commercial users of the technology understand that we're
> not a "venture technology" company, giving them technology for free
> to enable their business models which frequently compete against us
> in some regard. There's nothing wrong with using Snort as a part of
> your commercial offering as long as you adhere to its license. If you
> can't do that then we need to talk.
> At the same time we've taken many measures to ensure that the end
> users of the technology are unaffected. Want to integrate Snort or
> part of Snort into your open source project? No problem, it's free.
> Want to deploy 100 home-made Snort sensors in your non-profit/
> enterprise/government organization ? Go for it. Want to learn how
> these systems work at the code level? No problem, it's all there.
> Want transparency of your security technology and the content that
> drives it? It's all there, as it should be. Want to have access to
> the internals to extend or correct or add your own value to the
> project or just your operational environment? All part of the open
> source concept, make it happen. Want to fork and make your own IPS
> project built on the code-base? You can do that, just make sure you
> understand what you're doing in maintaining proper licensing for the
> forked project and respect our IP.
> I personally have *always* been the biggest advocate for the users of
> Snort since the day this company was formed and I always will be.
> 3) Snort 3.0 and IP assignments
> This is the most controversial provision of the clarifications that
> we put into the Snort 3.0 license. Basically what it says is:
> * By sending these changes to Sourcefire or one of the Sourcefire-
> * mailing lists or forums, you are granting to Sourcefire, Inc. the
> * perpetual, non-exclusive right to reuse, modify, and/or relicense
> the code.
> * Snort will always be available Open Source, but this is important
> * because the inability to relicense code has caused devastating
> problems for
> * other Free Software projects (such as KDE and NASM). We also
> * relicense the code to third parties as discussed above. If you
> wish to
> * specify special license conditions of your contributions, just say
> so when
> * you send them.
> So what's that mean? If you send a patch to the mailing lists or to
> Sourcefire, if you contribute code to the Snort project we consider
> that code and it's IP to be "assigned" to us. The reason for doing
> this should be pretty clear, we don't feel that contributing a 3-line
> patch to a 200k+ LOC codebase means that the contributer has
> copyright claims over Snort at that point. In the early years there
> were many people who contributed (in any way) to Snort but over the
> years since Sourcefire was incorporated the total contribution by
> these external contributers has decreased substantially. After that,
> Sourcefire developed more and more of the code, especially the core
> functionality of the detection engine and preprocessors, not to
> mention tons of the rules as well. I have felt for a long time that
> we need to have a sense of proportionality about this and we should
> also have the ability to be flexible with the code base in terms of
> licensing without needing to approach every contributer individually
> to get sign-off on any changes that we make. That's why we've put
> this provision into Snort 3.0.
> This "assumptive assignment" is exactly what projects like Nmap use.
> Perhaps we should take the next step and use the FSF's model where
> contributers to projects like GCC need to sign a legal document
> explicitly to contribute to the project. The FSF does this because
> they need to have flexibility but also because they need to get out
> from under any potential problems that may occur due to someone
> inappropriately contributing IP from a 3rd party. I don't like that
> concept because of the overhead associated with interacting with the
> project, Snort's not a huge project like GCC so I've liked that
> people can contribute as they see fit. The FSF does take one
> additional step, they guarantee that the projects that people make
> assignments to will be available as open source projects in
> perpetuity. I think that maybe we need to make a statement like that
> but quite frankly it's always been our position that Snort will
> always be available as Free Software and we have no intention to
> change our position ever.
> I think that the part of this provision that people have had the most
> trouble with is that we also retain the right to relicense the
> contributed code under alternative licenses. We have to be able to do
> that if we're going to offer alternative licenses to Snort,
> maintaining a "patch free" code branch and a "patch tainted" branch
> doesn't make any sense to me and probably not to you either. The
> assignment doesn't mean we're going to "steal" your code and
> "disappear" it CIA-style. It means that we need to be able to retain
> the right to offer it under our commercial license. The code you
> contribute will always be available to you and everyone else in the
> open source code base, we're not going to steal it but we are going
> to make it available to our commercial users. If you've got a problem
> with this, don't contribute the code to us, maintain it as an
> external patch.
> That's about it. I'm sorry we haven't been as communicative with the
> OSS community as we probably should be, I personally have a lot of
> demands on my time and I'm the person at SF who's the most familiar
> with the totality of the Snort project so I have a lot of input into
> the process here and I'm also fairly parochial regarding
> communicating concepts like this to the user community. In the future
> I'll try to be more forthcoming with all of you and I hope you'll
> continue to be patient with both me and Sourcefire; our hearts really
> are in the right place with the users of this technology but we also
> have to be pragmatic about how all of this is going to work given all
> of the commercial use that Snort sees.
> We're trying to be pragmatic about these issues, I hope that people
> can feel comfortable with the direction that we're taking things. I
> look forward to reading people's responses.
> - --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> -----END PGP SIGNATURE-----
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users