Comments below...
On 8/23/05, Ron Gula <rgula@tenablesecurity.com> wrote:
> I love the answer you gave the person bringing up one of those pesky
> license questions. Damn people who want to follow the rules! I would
> also question the line in the license. Does this really mean you can't
> use the Debian packages? I doubt it, but it should be clarified.
The Tenable direct and registered plugins are for use, only with Nessus
daemons you've downloaded from nessus.org as either binary or source. If
you've gotten your Nessus daemon from a vendor who has put Nessus into
their product, another UNIX distro, .etc, the plugins are not for those
distributions, and the GPL plugins are what you should use.
Let me start by saying that I understand that Tenable has the right to
use whatever license they want for the software they produce. It's
much better that they use the current license than a strictly
commercial one.
However, I think that the current license has some problems that
adversely affect legitimate users (who want to follow the rules as
Kevin pointed out). I understand what Tenable is trying to do
(prevent other companies who sell appliances, etc, from making money
off their hard work) and I agree with that. I don't agree that users
who want to install Nessus from packages should be restricted from
using the Tenable plugins.
Perhaps the wording of the license could be changed to either
specifically allow the use of "operating system packaging systems" or
allow everything except "vulnerability scanning appliances
commercially purchased or leased from a company other than Tenable".
Finally, I am not a lawyer, but from what I have read it is uncertain
if this is an enforceable license restriction. See the EFF's comments
on End User License Agreements at http://www.eff.org/wp/eula.php,
specifically section 4 ("Do not use this product with other vendor's
products.").
> How about the CPAN modules that let you run Nessus plug ins from perl
> programs?
I'm not familiar with that implementation. I did see a CPAN module that
allowed parsing of Nessus plugins. Either way, execution of the Tenable
direct or registered feeds is only for daemons obtained from nessus.org.
I think that Kevin was referring to Net::Nessus::Client or
Net::Nessus::ScanLite, both of which do essentially the same thing.
They act as a client and connect to a Nessus server. I would think
that these (and other clients such as inprotect and Sensepost's
BiDiBlah) are allowed under the current license (when used with a
server from nessus.org) since the license only restricts what server
can be used.
Chuck
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
