[Snort-users] Fwd: What's up with Snort's license?

Martin Roesch roesch at ...1935...
Wed Jul 18 21:05:37 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forwarding for Alan again:

Begin forwarded message:

> From: "Alan Shimel" <alan at ...13458...>
> Date: July 18, 2007 7:41:21 PM EDT
> To: "Martin Roesch" <roesch at ...1935...>, "Snort Users" <snort- 
> users at lists.sourceforge.net>
> Subject: RE: [Snort-users] What's up with Snort's license?
>
> Marty
>
> Not sure if this will make it back to the list because the latest
> incarnation of our exchange server seems to have me under
> alan at ...13458... and I think I am ashimel at ...8929... on the snort
> list. If you could forward for me.  thanks
>
> On GPL, yes we disagree. I think your "clarifications" actually  
> changes
> or modifies the GPL.  You think it just states what it always meant. I
> think the FSF left it vague on purpose and this is something that you
> and I aren't going to solve. Lawyers have been arguing over this for
> years, so lets agree to disagree.
>
> On your other points, I think you sidesteped the issue. If I am  
> reading
> this right, you are saying you don't want help from other commercial
> companies you just want licensing fees.  So don't say you are looking
> for help and support, say you are looking for licensing revenue. It is
> not about what it costs you to keep up snort, it is about you own  
> it and
> are entitled to a fee if others use it.  Of course the GPL does not
> exactly say that, but at this point I think you are stuck with the  
> GPL,
> so you clarify it to suit your needs as much as you accuse others of
> interpreting it to suit their needs. And of course that assumes you  
> own
> all the code, which brings up the whole 3rd party issue which I will
> address in a bit.
>
> As to contributing to the project, lets be clear, you just said you
> don't want commercial companies help, you want license fees.  Years  
> ago
> we decided to support Matt Jonkman and the bleeding community as did
> other commercial entities.  We didn't frankly see a way that you  
> wanted
> us to help.  On the other hand we were only too happy to join the VRT
> program and we thought of this as in some way helping and giving back,
> though frankly we don't use that rule feed.  We don't have a problem
> paying for something, we just don't want to be held over a barrel with
> licensing fees that change as we become more competitive.  I think you
> would want the same thing.
>
> As to what we give back, we have offered a free version of our IPS
> (which uses a snort engine) for a long time
> (http://www.stillsecure.org).  We also put our new Cobia platform in
> what we consider a license which is clearer than the GPL
> (http://cobia.stillsecure.com).  Let me be really clear.  Our take on
> open source and Cobia is that if you use the product and don't  
> resell or
> profit from it, it is free and you get the source code to modify and
> use.  If you are going to resell it in any way, then you need a
> commercial license. Marty, I don't think that is very different than
> what you are trying to do. You are just trying to make sure the GPL  
> says
> that. I don't think it does, so we wrote our own license. If you  
> want to
> say that makes us not open source, that is fine by me too. Cobia is  
> free
> and you get source code. But at the end of the day, we are trying to
> accomplish the same thing. In fact if you give Cobia away and don't
> profit from it, you are free to do so under our community license as
> well.
>
> On 3rd party contributions. I understand the reasons you give for the
> assignment.  I just think it puts a chill on the communities  
> willingness
> to contribute.  Also on older contributions, did the contributors
> realize this when they contributed code?  I think this is  
> unfortunately
> the way it goes when open source projects get commercialized after
> starting out non-commercial.  But Sourcefire and Snort are not the  
> only
> ones dealing with this. We looked at the same thing with Cobia and  
> again
> we made sure our license is really clear on it.  So maybe it is not  
> GPL
> and you may say that makes it not open source.  I don't hold NMap  
> up as
> the shining star of what is right and wrong either. They have their
> model and some agree and some may disagree with what they did with  
> their
> interpretation of the GPL license.  I say our community wants free
> software and the source code to modify.  They understand if they  
> resell
> or profit we expect them to use a commercial license.  Isn't that what
> you are trying to accomplish?
>
> Here are two questions I do have Marty. If you run snort, don't modify
> it or anything and just take the output and use that output for your
> application. Is that a valid use under the 3.0 license?  Would you  
> still
> need a commercial license?  The second question, if someone ported  
> snort
> to run on Cobia and we distributed it for free with the free  
> version of
> Cobia would that still need a commercial license under the 3.0  
> license?
>
> alan
>
> StillSecure
> Alan Shimel
> Chief Strategy Officer
>
> O 303.381.3815
> C 516.857.7409
> F 303.381.3881
>
>
>
> StillSecure, After All These Years
>
> www.stillsecure.com
> The information transmitted is intended only for the person
> to whom it is addressed and may contain confidential material.
> Review or other use of this information by persons other than
> the intended recipient is prohibited. If you've received
> this in error, please contact the sender and delete
> from any computer.
>
>
> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...1935...]
> Sent: Wednesday, July 18, 2007 6:26 PM
> To: Alan Shimel; Snort Users
> Subject: Re: [Snort-users] What's up with Snort's license?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jul 18, 2007, at 3:20 PM, Alan Shimel wrote:
>
>> Marty
>>
>> Thanks for the clarification. I wanted to clarify a few things  
>> myself.
>>
>> 1. I in my blog or anywhere else never claimed that Sourcefire was
>> taking Snort out of open source.  My claim and I stand by it, is
>> that by
>> putting your "clarification" of the GPL in on the 3.0 stuff, you are
>> changing the GPL and it is no longer licensed under the "GPL" as we
>> and
>> our attorneys interpret it.
>
> We haven't changed the GPL in Snort 3.  We're specifying what
> constitutes a derivative product in our view for the sake of clarity
> to commercial integrators.  We're also saying that people who want to
> contribute code to the project do so with the knowledge that we're
> going to consider the code as assigned to Sourcefire unless other
> arrangements are made.  This is necessary for two reasons:
>
> 1) Mitigation of IP encumbrance due to a "hostile" contributer trying
> to "inject" 3rd party IP into the project.  The FSF does this but
> uses a full legal document, we're trying to avoid that encumbrance.
> It would seem that by your logic projects like GCC are also not
> licensed under the GPL.
>
> 2) Given that we need to be able to offer Snort under an alternative
> license for commercial integrators who are integrating Snort and
> don't want to adhere to the GPL it's essential that we retain the
> right to relicense the totality of the codebase.  If people don't
> want to contribute their code to the project due to this clause they
> can maintain their code as external patches.  I've always enjoyed
> interacting with the community (even if it is less often than it used
> to be) and I'll respect people's decisions with regard to this
> assignment clause as it relates to their desire to contribute.  I
> hope people will still feel free to contribute, as I said the code
> isn't going to ever disappear but, as with Nmap, we need to reserve
> the right to relicense for commercial use.
>
>> Does that make it not open source?  I will
>> leave that to others.  My personal opinion is that you do not need
>> a GPL
>> license to be open source (but that is another matter). You choose
>> what
>> license you want to use.  I just say it is not GPL anymore, it is
>> Marty's GPL version.
>
> Then we disagree.
>
>> 2. Other companies using Snort.  Marty what kind of support would you
>> like?  I feel that here you are not being quite as "open" as you  
>> would
>> like us to believe. Do you mean that you want companies like
>> StillSecure
>> to contribute to developing and supporting snort or do you mean if  
>> you
>> had your druthers you would prefer no other commercial entity uses
>> snort
>> to "compete" against you.  If it is you want us to help support  
>> Snort,
>> we are ready, willing and able.  If you are using the open source
>> license (gpl or otherwise) as a shield to prevent other companies  
>> from
>> competing with sourcefire though, that is another story and you  
>> should
>> just say so.
>
> I (and Sourcefire) are not asking for any support from commercial
> vendors.  On the other hand, we do put quite a bit of effort into
> Snort and we distribute it under a license which we expect to be
> adhered to.  I don't care if companies integrate Snort, we're happy
> when they do because it builds a larger community of Snort users
> which is better for all of us.  Competition doesn't worry us in this
> regard, we feel that we serve our area of the market quite capably
> irrespective of other companies that offer Snort-based solutions.
> This isn't about that at all, it's about enforcing compliance with
> the license that Snort is distributed under.
>
> The primary problem I have with companies that don't contribute to
> the project is when they don't like us being assertive about our
> rights as the copyright holder.  Their legitimacy to question our
> licensing language is highly suspect given their past contributions
> to and role in the community.  If all a vendor does is take and they
> don't give anything back to anyone then let's call it what it is and
> say they're a vendor who's worried that they're going to actually
> have to pay for something that you've been getting for free.
>
>> 3. Changing peoples licenses and IP assignments - I think you realize
>> the issues involved there and doing it in haste is not always the  
>> best
>> way, but you apologized and that is enough for me.  IP assignment  
>> is a
>> case of buyer beware. But think about this, what message do you
>> send to
>> the developer community.  You want people to help support snort but
>> you
>> are going to "own" what they contribute. Not very inviting, but at
>> least
>> you are upfront about it.
>
> I outlined the reasons for doing so above, people are free to
> contribute (or not) in any way they see fit.  This is the exact same
> thing that the Nmap project has been doing since 2001, it seems to
> have worked well for that community and I think it'll work for
> Snort's community as well.
>
> 	-Marty
>
> - --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iD8DBQFGnpORqj0FAQQ3KOARAoAjAJ9dYITfThxo69wt4+yOarXPye3W/ACfaTl1
> 5jNFVeKnN7F1xRMbMWoF4u8=
> =xCkz
> -----END PGP SIGNATURE-----
>

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGnrjhqj0FAQQ3KOARAsX4AJ4kic3bY91Ss0Od3GuZ1w3Xd7wgQACbBhtY
js1lfMHu7qtQTRP28wuCbfc=
=1PT2
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list