[Snort-users] What's up with Snort's license? (Answer rollup)

Paul Schmehl pauls at ...6838...
Sat Jul 21 19:47:35 EDT 2007

--On July 21, 2007 9:35:05 AM +1000 Matt Jonkman 
<jonkman at ...14019...> wrote:

> Thanks for the answers Marty. I hope you and SF considers answering
> these questions BEFORE it becomes a crisis next time. Having these
> regular communication problems and blackouts is very taxing on the
> community's ability to stay together.
I've been watching this discussion closely.  ISTM that every time 
Sourcefire/Marty does something some people immediately assume the worst 
and start crying "crisis".  (Matt, you are a senior member of that group.) 
Given the past history of snort, Sourcefire and Marty, ISTM that 
Sourcefire/Marty should be given the benefit of the doubt in cases such as 
this.  IOW, rather than screaming "license change! License change!" it 
would be a great deal more productive to simply ask for clarification. 
Nothing I have read (and I've read it all) remotely approaches the cries 
of dire disaster coming from some quarters.

> One open question though: Are major code contributors going to be
> reimbursed for the revenue made from their code under separate
> commercial licenses in the 2.x branch?

This is such a ridiculous question that I'm stunned you would ask it.  The 
GPL permits not only the use of open source code but also its sale in a 
derivative, commercial product.  There's not a single word about 
reimbursement of the contributors of the open source code.

"When we speak of free software, we are referring to freedom, not price. 
Our General Public Licenses are designed to make sure that you have the 
freedom to distribute copies of free software (and charge for them if you 
wish), that you receive source code or can get it if you want it, that you 
can change the software or use pieces of it in new free programs, and that 
you know you can do these things."

Marty was taken to task for writing "It's Free as in "Free Speech", not 
Free as in "Free Money" people!"  ISTM his language reflects the language 
of the preamble to the GPL license.  Clearly Marty is more familiar with 
the GPL than some of his critics.

> If it were going to be licensed
> to someone under the GPLv2 (or 3) these contributors would not be
> entitled to anything as I understand. But under some other license I
> think the copyright owners must be compensated, no?
You understand wrong.  Here's what Marty wrote:

" By sending these changes to Sourcefire or one of the 
Sourcefire-moderated mailing lists or forums, you are granting to 
Sourcefire, Inc. the
unlimited, perpetual, non-exclusive right to reuse, modify, and/or 
relicense the code."

Somehow, you (and several others) seem to have completely missed or 
deliberately ignored the "non" in "non-exclusive" use (after all, if we're 
going to impute negative motives to folks, let's not stop with Marty - 
those on the "other side" don't exactly have "clean hands" in this debate 
either - fair enough?).  IOW, copyright holders of code (or rules or 
whatever else you want to assert is "contributing" to snort) STILL retain 
their copyright.  All they are doing is granting Sourcefire the right in 
perpetuity to reuse, modify or relicense the code.  Clearly this clause 
protects Sourcefire from vindictive or litigious copyright holders.  It 
does *not* remove any existing rights from a copyright holder but does 
prevent them from changing the license terms after Sourcefire has made use 
of it.

> I realize that won't be an issue in the 3.0 branch as it's all SF code.
> But it seems fair that major contributors should be considered at least
> in current agreements.
It doesn't seem fair at all to me.  People who contribute to snort do not 
"deserve" to be compensated for income that Sourcefire generates from the 
sale of a *derivative* product that uses snort.  Snort is still free. 
Snort is still open source.  Nothing has changed in that regard, and no 
copyright holder has given up, lost or had stolen any of his or her rights 
to their contribution(s).

> To be clear, I'm not one of those people. My contributions to date are
> almost all in signatures. But it's a question worth asking.
I for one am getting quite irritated at the repeated attacks on Marty and 
Sourcefire.  Marty's actions and decisions have been consistently pro-open 
source from the beginning of snort and remain so today.  Now that he's 
actually making money from snort (by adding closed source added-value 
software to it in a package - something others complaining here are also 
doing) some seem to resent the change.  Yet snort still remains open 
source.  The community still contributes to snort, and the community still 
benefits from snort.  No one (AFAIK) has to pay a dime for snort or for 
the rules (even though Sourcefire contributes most of the new code and 
does much of the rules-testing.)

>From my viewpoint, what's changed is the attitudes of some in the 
community, and at least *some* of them have interests other than those of 
us who simply use the product and are thankful to have a top quality IDS 
that we don't have to pay for.

Paul Schmehl (pauls at ...6838...)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070721/d93b2155/attachment.bin>

More information about the Snort-users mailing list