I am surprised to see that there has not been more discussion of the plugin
update changes implemented by Tenable January 1. Perhaps this discussion is
happening elsewhere, in which case I would appreciate a pointer to that
location. The changes will have a serious impact on the Nessus user
community. My issues with the changes are:
- Tenable claim that distributing plugins with a 7 day delay does no harm to
the user community is not true. This cripples the GPL solution.
- Tenable granting themselves a special right to write non-GPL plugins
sounds legally questionable. If it is in fact legal, it still is should
have been made very clear to all Nessus users when they started this
practice at the beginning of Tenable. This should also be clear when Nessus
is downloaded and installed. It is frightening to think that authors of GPL
programs can secretly grant themselves rights to create non-GPL modules and
then surprise the community demanding payment after everyone has unknowingly
become dependent on the modules.
- Tenable's claim that they can pick between GPL and their own plugins when
a collision occurs, is a clear conflict of interest.
- Tenable's claim that they are distributing plugins for free is not
correct. They are forcing people to agree to a very restrictive non-GPL
contract. Giving up rights is not free.
- Tenable's method of announcing this drastic change was insufficient. My
guess is that much of the user community is still not aware of the changes.
- Tenable's claim that they deserve compensation because of all the free
work they have done in the past is suspect if the plan all along was to lock
people into a system and then start charging for it.
- Tenable has not been forthcoming about what they are trying to achieve
with this change. Are they simply trying to get paid? Are they trying to
drive their competitors out of business? Is Tenable trying to support
certain business models and not others, for example are they trying to drive
software vendors out of business but support consulting companies?
All of this said, I am sympathetic to the claim that Tenable should be
compensated for all the hard work they have done and continue to do. The
ideal situation would be to guarantee revenue for Tenable for the valuable
services they provide and also guarantee the Nessus project continue to
grow. This would be in everybody's best interest. Nessus is a critical
resource.
In my humble opinion
- Any new policy should not affect history. The plugins that were developed
before January 1 should be GPL, like most people assumed they were.
- $1200 per year per scanner seems high. I would guess that for $1M per
year a small team of programmers should be able develop, test and release
new plugins as well as maintain and upgrade the existing library. This
revenue would be generated by about 1000 licenses. There are clearly many
more than this. If Tenable extracts huge profits from writing plugins,
they will attract competitors which will cause the plugin market to fragment
(I use vendor X's library, you use vendor B's) which will work to no one's
benefit.
- New plugins should be GPL. I think that most users would pay a fair price
to get the latest tested plugins. I think if users feel that they are being
charged a fair price for a great product they will pay. Tenable can still
hold new plugins for 7 days, which would be a major value to corporate
Nessus users.
If Tenable continues with the program as currently constituted, I see
serious problems developing.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
