[Snort-users] Fwd: What's up with Snort's license?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Forwarding for Alan again:

Begin forwarded message:

> From: "Alan Shimel" <alan@stillsecure.com>
> Date: July 18, 2007 7:41:21 PM EDT
> To: "Martin Roesch" <roesch@sourcefire.com>, "Snort Users" <snort-
> users@lists.sourceforge.net>
> Subject: RE: [Snort-users] What's up with Snort's license?
>
> Marty
>
> Not sure if this will make it back to the list because the latest
> incarnation of our exchange server seems to have me under
> alan@stillsecure.com and I think I am ashimel@latis.com on the snort
> list. If you could forward for me. thanks
>
> On GPL, yes we disagree. I think your "clarifications" actually
> changes
> or modifies the GPL. You think it just states what it always meant. I
> think the FSF left it vague on purpose and this is something that you
> and I aren't going to solve. Lawyers have been arguing over this for
> years, so lets agree to disagree.
>
> On your other points, I think you sidesteped the issue. If I am
> reading
> this right, you are saying you don't want help from other commercial
> companies you just want licensing fees. So don't say you are looking
> for help and support, say you are looking for licensing revenue. It is
> not about what it costs you to keep up snort, it is about you own
> it and
> are entitled to a fee if others use it. Of course the GPL does not
> exactly say that, but at this point I think you are stuck with the
> GPL,
> so you clarify it to suit your needs as much as you accuse others of
> interpreting it to suit their needs. And of course that assumes you
> own
> all the code, which brings up the whole 3rd party issue which I will
> address in a bit.
>
> As to contributing to the project, lets be clear, you just said you
> don't want commercial companies help, you want license fees. Years
> ago
> we decided to support Matt Jonkman and the bleeding community as did
> other commercial entities. We didn't frankly see a way that you
> wanted
> us to help. On the other hand we were only too happy to join the VRT
> program and we thought of this as in some way helping and giving back,
> though frankly we don't use that rule feed. We don't have a problem
> paying for something, we just don't want to be held over a barrel with
> licensing fees that change as we become more competitive. I think you
> would want the same thing.
>
> As to what we give back, we have offered a free version of our IPS
> (which uses a snort engine) for a long time
> (http://www.stillsecure.org). We also put our new Cobia platform in
> what we consider a license which is clearer than the GPL
> (http://cobia.stillsecure.com). Let me be really clear. Our take on
> open source and Cobia is that if you use the product and don't
> resell or
> profit from it, it is free and you get the source code to modify and
> use. If you are going to resell it in any way, then you need a
> commercial license. Marty, I don't think that is very different than
> what you are trying to do. You are just trying to make sure the GPL
> says
> that. I don't think it does, so we wrote our own license. If you
> want to
> say that makes us not open source, that is fine by me too. Cobia is
> free
> and you get source code. But at the end of the day, we are trying to
> accomplish the same thing. In fact if you give Cobia away and don't
> profit from it, you are free to do so under our community license as
> well.
>
> On 3rd party contributions. I understand the reasons you give for the
> assignment. I just think it puts a chill on the communities
> willingness
> to contribute. Also on older contributions, did the contributors
> realize this when they contributed code? I think this is
> unfortunately
> the way it goes when open source projects get commercialized after
> starting out non-commercial. But Sourcefire and Snort are not the
> only
> ones dealing with this. We looked at the same thing with Cobia and
> again
> we made sure our license is really clear on it. So maybe it is not
> GPL
> and you may say that makes it not open source. I don't hold NMap
> up as
> the shining star of what is right and wrong either. They have their
> model and some agree and some may disagree with what they did with
> their
> interpretation of the GPL license. I say our community wants free
> software and the source code to modify. They understand if they
> resell
> or profit we expect them to use a commercial license. Isn't that what
> you are trying to accomplish?
>
> Here are two questions I do have Marty. If you run snort, don't modify
> it or anything and just take the output and use that output for your
> application. Is that a valid use under the 3.0 license? Would you
> still
> need a commercial license? The second question, if someone ported
> snort
> to run on Cobia and we distributed it for free with the free
> version of
> Cobia would that still need a commercial license under the 3.0
> license?
>
> alan
>
> StillSecure
> Alan Shimel
> Chief Strategy Officer
>
> O 303.381.3815
> C 516.857.7409
> F 303.381.3881
>
>
>
> StillSecure, After All These Years
>
> www.stillsecure.com
> The information transmitted is intended only for the person
> to whom it is addressed and may contain confidential material.
> Review or other use of this information by persons other than
> the intended recipient is prohibited. If you've received
> this in error, please contact the sender and delete
> from any computer.
>
>
> -----Original Message-----
> From: Martin Roesch [mailto:roesch@sourcefire.com]
> Sent: Wednesday, July 18, 2007 6:26 PM
> To: Alan Shimel; Snort Users
> Subject: Re: [Snort-users] What's up with Snort's license?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Jul 18, 2007, at 3:20 PM, Alan Shimel wrote:
>
>> Marty
>>
>> Thanks for the clarification. I wanted to clarify a few things
>> myself.
>>
>> 1. I in my blog or anywhere else never claimed that Sourcefire was
>> taking Snort out of open source. My claim and I stand by it, is
>> that by
>> putting your "clarification" of the GPL in on the 3.0 stuff, you are
>> changing the GPL and it is no longer licensed under the "GPL" as we
>> and
>> our attorneys interpret it.
>
> We haven't changed the GPL in Snort 3. We're specifying what
> constitutes a derivative product in our view for the sake of clarity
> to commercial integrators. We're also saying that people who want to
> contribute code to the project do so with the knowledge that we're
> going to consider the code as assigned to Sourcefire unless other
> arrangements are made. This is necessary for two reasons:
>
> 1) Mitigation of IP encumbrance due to a "hostile" contributer trying
> to "inject" 3rd party IP into the project. The FSF does this but
> uses a full legal document, we're trying to avoid that encumbrance.
> It would seem that by your logic projects like GCC are also not
> licensed under the GPL.
>
> 2) Given that we need to be able to offer Snort under an alternative
> license for commercial integrators who are integrating Snort and
> don't want to adhere to the GPL it's essential that we retain the
> right to relicense the totality of the codebase. If people don't
> want to contribute their code to the project due to this clause they
> can maintain their code as external patches. I've always enjoyed
> interacting with the community (even if it is less often than it used
> to be) and I'll respect people's decisions with regard to this
> assignment clause as it relates to their desire to contribute. I
> hope people will still feel free to contribute, as I said the code
> isn't going to ever disappear but, as with Nmap, we need to reserve
> the right to relicense for commercial use.
>
>> Does that make it not open source? I will
>> leave that to others. My personal opinion is that you do not need
>> a GPL
>> license to be open source (but that is another matter). You choose
>> what
>> license you want to use. I just say it is not GPL anymore, it is
>> Marty's GPL version.
>
> Then we disagree.
>
>> 2. Other companies using Snort. Marty what kind of support would you
>> like? I feel that here you are not being quite as "open" as you
>> would
>> like us to believe. Do you mean that you want companies like
>> StillSecure
>> to contribute to developing and supporting snort or do you mean if
>> you
>> had your druthers you would prefer no other commercial entity uses
>> snort
>> to "compete" against you. If it is you want us to help support
>> Snort,
>> we are ready, willing and able. If you are using the open source
>> license (gpl or otherwise) as a shield to prevent other companies
>> from
>> competing with sourcefire though, that is another story and you
>> should
>> just say so.
>
> I (and Sourcefire) are not asking for any support from commercial
> vendors. On the other hand, we do put quite a bit of effort into
> Snort and we distribute it under a license which we expect to be
> adhered to. I don't care if companies integrate Snort, we're happy
> when they do because it builds a larger community of Snort users
> which is better for all of us. Competition doesn't worry us in this
> regard, we feel that we serve our area of the market quite capably
> irrespective of other companies that offer Snort-based solutions.
> This isn't about that at all, it's about enforcing compliance with
> the license that Snort is distributed under.
>
> The primary problem I have with companies that don't contribute to
> the project is when they don't like us being assertive about our
> rights as the copyright holder. Their legitimacy to question our
> licensing language is highly suspect given their past contributions
> to and role in the community. If all a vendor does is take and they
> don't give anything back to anyone then let's call it what it is and
> say they're a vendor who's worried that they're going to actually
> have to pay for something that you've been getting for free.
>
>> 3. Changing peoples licenses and IP assignments - I think you realize
>> the issues involved there and doing it in haste is not always the
>> best
>> way, but you apologized and that is enough for me. IP assignment
>> is a
>> case of buyer beware. But think about this, what message do you
>> send to
>> the developer community. You want people to help support snort but
>> you
>> are going to "own" what they contribute. Not very inviting, but at
>> least
>> you are upfront about it.
>
> I outlined the reasons for doing so above, people are free to
> contribute (or not) in any way they see fit. This is the exact same
> thing that the Nmap project has been doing since 2001, it seems to
> have worked well for that community and I think it'll work for
> Snort's community as well.
>
> -Marty
>
> - --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iD8DBQFGnpORqj0FAQQ3KOARAoAjAJ9dYITfThxo69wt4+yOar XPye3W/ACfaTl1
> 5jNFVeKnN7F1xRMbMWoF4u8=
> =xCkz
> -----END PGP SIGNATURE-----
>

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGnrjhqj0FAQQ3KOARAsX4AJ4kic3bY91Ss0Od3GuZ1w 3Xd7wgQACbBhtY
js1lfMHu7qtQTRP28wuCbfc=
=1PT2
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users