Today I noticed that Snort 2.7.0 was quietly released on July 12th. I have a problem with this release, a licensing problem. I have written about my issues with Sourcefires Snort licensing before here and on the mailinglist as well, here. They seem to have listened a little bit, since they are no longer claiming copyright of Todd C. Millers BSD licensed strlcpy and strlcat implementation. Sadly, our other complaints are completely ignored.
Sourcefire claims that Snort is governed by the GPLv2 only. There is a problem with this claim. It’s actually a license change from the recent past. Snort used to be under “GPLv2 or (at your option) any later version”. Now it isn’t anymore. Thats a license change. Now don’t get me wrong, I don’t have any problem with Sourcefire relicensing their code. It’s their right do so. But only for their code. Not for my code, not for code they don’t own the copyright from. In other words, not for all of Snort.
Sourcefire changed the license also for the parts of Snort they don’t own. But, the funny thing is, Sourcefire isn’t even claiming full copyright on Snort. For example in src/inline.c they state “Portions Copyright (C) 1998-2006 Sourcefire, Inc.”. In another example, the file src/preprocessors/spp_arpspoof.c states “Copyright (C) 2001-2004 Jeff Nathan <email@example.com>”. There are many more files where Sourcefire doesn’t claim the (full) copyright for an obvious reason. They don’t own it for these files.
Sourcefire says it is distributing Snort under the GPLv2 so that’s the license governing it. Yes it’s true: Snort until this day is and was distributed with a copy of the GPLv2 license. But their site until very recently clearly stated “This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.” (source). How recent is recently? Well the newest archived version of the Snort site in the wayback machine is from May 9th, 2007. It has the above text, thats less than three months ago. This was no accident, this line of text has been on the Snort site as long as the wayback machine takes us back, which is until the year 2000. But wait, there is more: Many, I estimate the majority, of the source files of the Snort source code of Snort 18.104.22.168 contain that same line as well.
So now Sourcefires claims that “SNORT is an open source project that is governed exclusively by the GPL V2 and any third party desiring to use, modify or distribute SNORT must do so by strictly following the terms and conditions of GPL V2. Anyone using, modifying or distributing SNORT does not have the option to choose to use, modify or distribute SNORT under any revised or new version of the GPL, including without limitation, the GNU General Public License Version 3.” (source) This is clearly a license change because under the conditions active until at least May 9th, 2007, the user was free to select a newer version of the license as well. The funny thing is, the original page stating this is still online at snort.org. And that STILL says “GPLv2 or (at your option) any later version”.
I draw two conclusions from this. First, there was a license change. It’s clear that Snort used to be under the “GPLv2 or (at your option) any later version.” The page claiming that until at least May 9th of this year is even still online. Until 22.214.171.124 (and possibly 2.7.0rc1) most of the source code contained the same language. Second, Sourcefire had no right to relicense all of Snort. They have no right because they don’t own all of the copyright. What can they do about it? Simple: remove the current 2.7.0 release, and replace it by one that respects everyones rights!
Disclaimer: I’m not a lawyer, nor do I look like one or am I married to one. But I believe my point of view is correct. If you believe it’s not, please let me know.
Pingback: Bleeding Edge Threats
What’s the practical effect of the change?
The practical effect of the license change is almost none. The GPLv3 didn’t exist (officially) until June 29, so Snort was under the GPLv2 until then. There recent change is just to keep it under the GPLv2 and not automatically be usable under the GPLv3.
The issue here is they applied the change to files that are not owned by Sourcefire, which I believe to be a violation of the GPL. Victor and Will should be pissed, along with anyone else that has contributed to Snort – unless of course they agree that the code should remain GPLv2 only.
Personally, if I had any GPL software I’d probably lock it to v2 as well, but I have full respect for any authors choice of license.
The community is being destroyed for Snort by SF. Wether this is intentional or not Im still not sure.
People origianally contributed code, bugs, and rules assuming this would always be under the GPL. First rules changed, while technically legal and probably even justifiable it still irk’d a lot of people and a lot of people left Snort. Now we have license changes where there are 3 different license versions that can be applied to Snort. And its pretty clear that the modifications to the Snort 3.0 license are purely for Sourcefires benefit and alter the meaning of open source. Its making everything confusing and people are starting to run scared that the license will change further.
I think someone should really start considering forking Snort and form a solid community where the original thoughts of open source and GPL should apply or eventually Snort will become ‘Open Sourcefire’. Snort Inline and Bleeding Edge have a solid following around the Snort community and should be the pioneers of this movement.
Jason, it’s true that the GPLv3 didn’t exist until June 29th, but I’m not so sure this matters much. Until at least Snort 126.96.36.199 the license language both in the source code and on the site stated that Snort was distributed under the GPLv2, but that you are allowed to distribute and modify it also under any newer version of the license, at your option. There is no limitation to only currently released newer versions of the license, in which case the release date of the GPLv3 would become important.
Since there was no newer version of the license available all the years Sourcefire used this license language what point was there to have the language in the first place, other than giving you the right to use the newer license as soon it would become available?
Pingback: breviary stuff
Pingback: Week’s Links | lonerunners.net