[Snort-users] What's up with Snort's license?

Martin Roesch roesch at ...1935...
Wed Jul 18 18:26:25 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jul 18, 2007, at 3:20 PM, Alan Shimel wrote:

> Marty
>
> Thanks for the clarification. I wanted to clarify a few things myself.
>
> 1. I in my blog or anywhere else never claimed that Sourcefire was
> taking Snort out of open source.  My claim and I stand by it, is  
> that by
> putting your "clarification" of the GPL in on the 3.0 stuff, you are
> changing the GPL and it is no longer licensed under the "GPL" as we  
> and
> our attorneys interpret it.

We haven't changed the GPL in Snort 3.  We're specifying what  
constitutes a derivative product in our view for the sake of clarity  
to commercial integrators.  We're also saying that people who want to  
contribute code to the project do so with the knowledge that we're  
going to consider the code as assigned to Sourcefire unless other  
arrangements are made.  This is necessary for two reasons:

1) Mitigation of IP encumbrance due to a "hostile" contributer trying  
to "inject" 3rd party IP into the project.  The FSF does this but  
uses a full legal document, we're trying to avoid that encumbrance.   
It would seem that by your logic projects like GCC are also not  
licensed under the GPL.

2) Given that we need to be able to offer Snort under an alternative  
license for commercial integrators who are integrating Snort and  
don't want to adhere to the GPL it's essential that we retain the  
right to relicense the totality of the codebase.  If people don't  
want to contribute their code to the project due to this clause they  
can maintain their code as external patches.  I've always enjoyed  
interacting with the community (even if it is less often than it used  
to be) and I'll respect people's decisions with regard to this  
assignment clause as it relates to their desire to contribute.  I  
hope people will still feel free to contribute, as I said the code  
isn't going to ever disappear but, as with Nmap, we need to reserve  
the right to relicense for commercial use.

> Does that make it not open source?  I will
> leave that to others.  My personal opinion is that you do not need  
> a GPL
> license to be open source (but that is another matter). You choose  
> what
> license you want to use.  I just say it is not GPL anymore, it is
> Marty's GPL version.

Then we disagree.

> 2. Other companies using Snort.  Marty what kind of support would you
> like?  I feel that here you are not being quite as "open" as you would
> like us to believe. Do you mean that you want companies like  
> StillSecure
> to contribute to developing and supporting snort or do you mean if you
> had your druthers you would prefer no other commercial entity uses  
> snort
> to "compete" against you.  If it is you want us to help support Snort,
> we are ready, willing and able.  If you are using the open source
> license (gpl or otherwise) as a shield to prevent other companies from
> competing with sourcefire though, that is another story and you should
> just say so.

I (and Sourcefire) are not asking for any support from commercial  
vendors.  On the other hand, we do put quite a bit of effort into  
Snort and we distribute it under a license which we expect to be  
adhered to.  I don't care if companies integrate Snort, we're happy  
when they do because it builds a larger community of Snort users  
which is better for all of us.  Competition doesn't worry us in this  
regard, we feel that we serve our area of the market quite capably  
irrespective of other companies that offer Snort-based solutions.   
This isn't about that at all, it's about enforcing compliance with  
the license that Snort is distributed under.

The primary problem I have with companies that don't contribute to  
the project is when they don't like us being assertive about our  
rights as the copyright holder.  Their legitimacy to question our  
licensing language is highly suspect given their past contributions  
to and role in the community.  If all a vendor does is take and they  
don't give anything back to anyone then let's call it what it is and  
say they're a vendor who's worried that they're going to actually  
have to pay for something that you've been getting for free.

> 3. Changing peoples licenses and IP assignments - I think you realize
> the issues involved there and doing it in haste is not always the best
> way, but you apologized and that is enough for me.  IP assignment is a
> case of buyer beware. But think about this, what message do you  
> send to
> the developer community.  You want people to help support snort but  
> you
> are going to "own" what they contribute. Not very inviting, but at  
> least
> you are upfront about it.

I outlined the reasons for doing so above, people are free to  
contribute (or not) in any way they see fit.  This is the exact same  
thing that the Nmap project has been doing since 2001, it seems to  
have worked well for that community and I think it'll work for  
Snort's community as well.

	-Marty

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGnpORqj0FAQQ3KOARAoAjAJ9dYITfThxo69wt4+yOarXPye3W/ACfaTl1
5jNFVeKnN7F1xRMbMWoF4u8=
=xCkz
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list