Wednesday, July 18, 2007

What's up with Snort licensing

There have been a lot of questions and speculation about the things we (Sourcefire) have been changing in Snort's licensing recently and it needs to be addressed so that we can clear the air.

There are three things that people have been asking questions about or having issues with.

1) GPL v2 lock that we put in place on June 29th.
2) "Clarifications" in Snort's license language (Snort 3.0).
3) "Clarifications" with regard to assignments of ownership for contributed code (Snort 3.0).

Let me address these issues in order.

1) GPL v2 lock.

Here's what happened. About 3 weeks ago I got a heads up that under GPL v2, a licensee can choose to use GPL v3 if we don’t specify what version of the GPL to use; conceivably we could have people forking and changing license on us. Seeing as GPL v3 didn't even "ship" until June 29th we didn't feel like we were going to be able to make any decision on the language that was contained in the new version until we'd had some time to perform a formal legal review. It also didn't help that they decided to release on the last day of the quarter. Another contributing factor to the decision for me was that Linus decided to keep the Linux kernel at GPL v2, that in itself was enough to get me to hit the pause button and take some serious time reviewing this new license before making any decision. Linus himself said "I'm not arguing against the GPLv3. I'm arguing that the GPLv3 is wrong for _me_, and it's not the license I ever chose." It's not the license we chose either and we're not moving to it without a conscious decision to do so.

If we didn't want the code base moving to the new version then what could we do? The simplest thing given the time constraints that we were working within was just to change the language in the source file header preambles (and not the license itself) noting that we were specifying Snort at GPL version 2 until we could make a solid and informed decision about how we wanted to treat GPL v3.

For those of you with wholly contributed source files where the file headers were changed, many (most/all?) of them referred to "the program" as being under an indistinct version number (not just your source files) and so rather than try to track everyone down in the time frame we had to work with *I* made a unilateral decision to just move forward with it and we'd clean up the mess afterwards. I'm sorry for the "bull in the china shop" routine but we felt like we needed to have this language out there before GPL v3 shipped at noon EDT on June 29th. Clearly there were some mistakes made, obviously we shouldn't have changed things like the BSD license on the strl* files and so on, we'll fix that too. As Victor observed, this was done in something of a hurry. BTW, we didn't try to "slip it out on a Friday" per the note on some blog, Friday was the deadline and we had to move.

Where do we go from here? We're going to examine the language in the new license and decide if we want to move forward with it. This is going to take a while but we'll make an announcement when we make the final decision. For those of you who have wholly authored source files that would like the language changed for your source files back to the original, with the provision that the language reflect that you're just referring to your file and not the entirety of the program, just let us (me) know and send us the verbage you want and we'll make the change. For those of you who object to this sort of thing all together that would like to maintain your code as an external patch set for Snort instead of in the main source tree, give us the heads up and we'll pull your code from the source trees. Once again, this is with the provision that we may reimplement the capabilities that your code offers as Sourcefire-authored code if it happens to be something that we consider important to the project.

If anyone has any other input I'd be happy to hear it. Contrary to what several groups with vested interests seem to be promoting, Sourcefire isn't interested in closing Snort's source code or making this a closed-source project. The community continues to be important to us and we have no plans on that ever changing.

2) Snort 3.0 "clarifications" and the GPL

There has been a fair amount of opinion being put forth by people in the blogging world that Snort 3.0 will no longer be "open source" due to the clarifications that we put in place. This is just plain wrong.

Sourcefire produces Snort as an open source project. My interest as the guy who started this whole thing and who has worked on and advanced this project for closing in on 9 years now has always been how good we can make the technology and how well we can serve the needs of the community. Now that Snort has my company behind it, the priorities really haven't changed but there's an interesting dynamic out there with companies that are using Snort as a part of their product or service offering. Many of them seem to expect us to work on this technology and improve it continuously so that their offering is cutting edge but contribute nothing to the project and complain bitterly whenever we do something that might cost them some money to continue to use a best-of-breed technology like this.

It's Free as in "Free Speech", not Free as in "Free Money" people! Companies that use Snort as part of a service or product seem to be having a tough time accepting this. The goal of the new licensing language is to define what we consider to constitute conditions under which something built on or around Snort is a derivative work subject to the stipulations of the GPL (i.e. putting the derivative code under the GPL license). Despite all the gnashing of teeth that has resulted from this clarification, what we've really done is take about the most "open" stance you can with a GPL project and put it out there, true open source champions should be applauding us for our position.

That didn't happen. Instead we've gotten a litany of grousing from the blogerati, primarily because we've offered a commercial license for people who don't want to play by the rules of the GPL in their product and service offerings that will (*gasp*!) cost money. If you're licensing technology from Sourcefire (which all of you using the GPL version of Snort are doing) and you don't wish to live under the terms of that license, we're giving you another one to choose from. If you don't like having world-class security technology available for a fee because it affects your cost structure, that's not my problem. If you want to use it for free then you have to live by the license but people always seem to interpret the GPL in ways that are optimally advantageous to them (if they don't just take the code directly and bury it in their product). The clarifications we put into Snort 3 are there to get us all on the same page and to make sure that commercial users of the technology understand that we're not a "venture technology" company, giving them technology for free to enable their business models which frequently compete against us in some regard. There's nothing wrong with using Snort as a part of your commercial offering as long as you adhere to its license. If you can't do that then we need to talk.

At the same time we've taken many measures to ensure that the end users of the technology are unaffected. Want to integrate Snort or part of Snort into your open source project? No problem, it's free. Want to deploy 100 home-made Snort sensors in your non-profit/enterprise/government organization ? Go for it. Want to learn how these systems work at the code level? No problem, it's all there. Want transparency of your security technology and the content that drives it? It's all there, as it should be. Want to have access to the internals to extend or correct or add your own value to the project or just your operational environment? All part of the open source concept, make it happen. Want to fork and make your own IPS project built on the code-base? You can do that, just make sure you understand what you're doing in maintaining proper licensing for the forked project and respect our IP.

I personally have *always* been the biggest advocate for the users of Snort since the day this company was formed and I always will be.

3) Snort 3.0 and IP assignments

This is the most controversial provision of the clarifications that we put into the Snort 3.0 license. Basically what it says is:

* By sending these changes to Sourcefire or one of the Sourcefire-moderated
* mailing lists or forums, you are granting to Sourcefire, Inc. the unlimited,
* perpetual, non-exclusive right to reuse, modify, and/or relicense the code.
* Snort will always be available Open Source, but this is important
* because the inability to relicense code has caused devastating problems for
* other Free Software projects (such as KDE and NASM). We also occasionally
* relicense the code to third parties as discussed above. If you wish to
* specify special license conditions of your contributions, just say so when
* you send them.

So what's that mean? If you send a patch to the mailing lists or to Sourcefire, if you contribute code to the Snort project we consider that code and it's IP to be "assigned" to us. The reason for doing this should be pretty clear, we don't feel that contributing a 3-line patch to a 200k+ LOC codebase means that the contributer has copyright claims over Snort at that point. In the early years there were many people who contributed (in any way) to Snort but over the years since Sourcefire was incorporated the total contribution by these external contributers has decreased substantially. After that, Sourcefire developed more and more of the code, especially the core functionality of the detection engine and preprocessors, not to mention tons of the rules as well. I have felt for a long time that we need to have a sense of proportionality about this and we should also have the ability to be flexible with the code base in terms of licensing without needing to approach every contributer individually to get sign-off on any changes that we make. That's why we've put this provision into Snort 3.0.

This "assumptive assignment" is exactly what projects like Nmap use. Perhaps we should take the next step and use the FSF's model where contributers to projects like GCC need to sign a legal document explicitly to contribute to the project. The FSF does this because they need to have flexibility but also because they need to get out from under any potential problems that may occur due to someone inappropriately contributing IP from a 3rd party. I don't like that concept because of the overhead associated with interacting with the project, Snort's not a huge project like GCC so I've liked that people can contribute as they see fit. The FSF does take one additional step, they guarantee that the projects that people make assignments to will be available as open source projects in perpetuity. I think that maybe we need to make a statement like that but quite frankly it's always been our position that Snort will always be available as Free Software and we have no intention to change our position ever.

I think that the part of this provision that people have had the most trouble with is that we also retain the right to relicense the contributed code under alternative licenses. We have to be able to do that if we're going to offer alternative licenses to Snort, maintaining a "patch free" code branch and a "patch tainted" branch doesn't make any sense to me and probably not to you either. The assignment doesn't mean we're going to "steal" your code and "disappear" it CIA-style. It means that we need to be able to retain the right to offer it under our commercial license. The code you contribute will always be available to you and everyone else in the open source code base, we're not going to steal it but we are going to make it available to our commercial users. If you've got a problem with this, don't contribute the code to us, maintain it as an external patch.

That's about it. I'm sorry we haven't been as communicative with the OSS community as we probably should be, I personally have a lot of demands on my time and I'm the person at SF who's the most familiar with the totality of the Snort project so I have a lot of input into the process here and I'm also fairly parochial regarding communicating concepts like this to the user community. In the future I'll try to be more forthcoming with all of you and I hope you'll continue to be patient with both me and Sourcefire; our hearts really are in the right place with the users of this technology but we also have to be pragmatic about how all of this is going to work given all of the commercial use that Snort sees.

We're trying to be pragmatic about these issues, I hope that people can feel comfortable with the direction that we're taking things. I look forward to reading people's responses.


Technorati Tags:
, , , , , ,


3 Comments:

At 3:21 AM, Blogger Ryan Russell said...

I can't speak for anyone else's claims. But my claim is that Snort is no longer GPL. It has a GPL-like license, sure.

Your comments seem to indicate that you're still claiming it is GPL. That's one of the things I take issue with.

 
At 8:13 AM, Blogger Martin Roesch said...

Ryan:

Please detail what we've done that causes the GPL to no longer be GPL in the Snort 3.0 (alpha) distribution.

 
At 11:05 AM, Blogger Joe said...

Marty,

Thanks for the clear explanation. Overall, I see how this was a good decision for the community. I also agree on holding off on GPLv3 until it's fully understood.

 

Post a Comment

<< Home