[Snort-users] What's up with Snort's license?
loyalmoses at ...3027...
Wed Jul 18 20:46:38 EDT 2007
I believe this has a lot less to do with GPL than is being lead to
Some thoughts on the Intellectual Property topic:
Marty: "This is the most controversial provision of the
we put into the Snort 3.0 license."
Oh you bet. This is most definitely the hottest topic.
Marty: "By sending these changes to Sourcefire or one of the Sourcefire-
moderated mailing lists or forums, you are granting to Sourcefire,
unlimited, perpetual, non-exclusive right to reuse, modify, and/or
You are between a rock and hard spot here. Your product is based on
works of dozens of contributors over the past several years while
your project was licensed
If you were not GPL, then you have the absolute right to make a
license change at anytime,
however you do not have the right to take ownership of user
contributions which were made
within the boundaries of the GPL license with that understanding.
Marty: "we don't feel that contributing a 3-line patch to a 200k+ LOC
codebase means that the
contributer has copyright claims over Snort "
I don't think the community in general believes this at all either.
What they believe is they retain
copyright over 'their' submitted contribution.
Marty: " In the early years there were many people who contributed
(in any way) to Snort but over the
years since Sourcefire was incorporated the total contribution by
these external contributers has
decreased substantially. After that, Sourcefire developed more and
more of the code, especially
the core functionality of the detection engine and preprocessors, not
to mention tons of the rules as well."
Time has no relevance here. Copyright and ownership of intellectual
property does not disappear because
a few years has passed. Even derivative works from copyrighted
materials is a very gray area.
Marty: "I have felt for a long time that we need to have a sense of
proportionality about this and we should
also have the ability to be flexible with the code base in terms of
licensing without needing to approach
every contributer individually to get sign-off on any changes that we
Unfortunately, you chose a GPL license and it was understood at that
time by every contributing user that
they were not just 'donating' their time, skill and efforts to your
pocket book, but to a project that was going
to remain GPL to serve and support the industry in whole.
Each contributor has a right to his source code, again unless is was
contributed under different conditions,
however it wasn't, it was contributed under a GPL.
Marty: "we need to be able to retain the right to offer it under our
This is where the concerns come in, you now need this code for your
newly formulated business goals and
are making modifications to your license to serve this purpose.
However, you are going to be unable to
simply take ownership of the source code without some very obvious
legal hurdles to overcome.
Marry: "If you've got a problem with this, don't contribute the code
This was a rather harsh statement to make and really makes users of
snort take a step back and look at the
over all situation.
Great; from now on users should stop contributing any further source
code or signature content.
Past contributors should take a full inventory of their contributions
to date, which were made under
the GPL license, and if / when hi-jacked contributions or derivatives
from are discovered in future
snort releases, users should seek after valid and compensating law
I don't believe contributing users should be expected to simply walk
away from their intellectual property
to serve the business goals of a post-incident incorporated
Marty: " If all a vendor does is take and they don't give anything
back to anyone then let's call it what it is and
say they're a vendor who's worried that they're going to actually
have to pay for something that you've been
getting for free."
I don't think the community has a problem here. It's the bait and
switch tactic that is causing concern.
If you want it called how it is, then lets hear it. You (Sourcefire)
wants to break out of the GPL license once step
at a time, by first taking copyright over all contributing
intellectual property so future versions can be branded
as commercially, fully owned by Sourcefire for the purpose of business.
Marty: "It's Free as in 'Free Speech', not Free as in 'Free Money'
Here is where you are quite wrong.
Lets compute this for a moment, and discuss the effects of linux
under the GPL. In this hypothetical scenario,
Linus Torvalds decides that he is tired of the community making money
from his original project. Can he bait
and switch now? Can he claim that it was 'Free Speech' and not 'Free
Money', and take complete ownership
of all contributions?
Marty: "true open source champions should be applauding us for our
In conclusion, snort is a great product developed and maintained by a
world of very happy and satisfied
Ultimately, what makes you (Sourcefire) think that you can take the
contributed works of dozens of people
and stake full ownership for commercial gain?
If you believe this to be true, then what should stop any one of the
contributors from taking the snort
source code and commercially licensing it with full ownership?
It all is going to come down to how you originally licensed snort.
This issue wouldn't have even risen if you hadn't licensed it GPL.
However, it is GPL by your own inclusion
and licensing and unfortunately all works thereof fall under that
Personally, I am very interested to see some of the legal claims that
will arise from this.
On a business line of thought. This is primarily why our product
Aanval (Snort & Syslog Console), does not
install or charge for the existence of snort. We only provide an
alternative method of viewing and managing
the application and do not sell an intrusion detection system / engine.
If you made it here, thanks for taking the time.
More information about the Snort-users