[linux-elitists] (forw) Tripwire: Open Source?

Rick Moen rick@linuxmafia.com
Tue Feb 29 18:36:20 PST 2000


Well, here's the letter I sent in.  It _still_ feels just a little
harsh, but perhaps that will help the message sink in.  <shrug>  

I might have approached the matter in a slightly more-generous spirit
had these guys not applied a cluelessly wrong remedy to the
project-stagnation problem in 1997, creating a gaping hole in free
software that Rami Lehti and friends barely fixed in time.

If nothing else, AIDE deserves some high-profile publicity, and, if it's
at Tripwire, Inc.'s expense, all the better.  The latter people are
awfully late to the party, _if_ they're in fact joining us at all.



----- Forwarded message from Rick Moen <rick> -----

Date: Tue, 29 Feb 2000 18:28:21 -0800
From: Rick Moen <rick>
To: letters@lwn.net
Subject: Tripwire: Open Source?
X-Mailer: Mutt 1.0i

Dear Ms. Coolbaugh and Mr. Corbet:

I note with interest your 2000-02-29 news item, "Tripwire goes Open 
Source".

The company press release in question -- and their FAQ at
http://www.tripwire.org/faq.html -- claims an "open-source" version will
be available in Q3 2000, but conspicuously fails to state under what
licence.  I hope they will clarify their intentions, and have written
them to inquire.

The history of Tripwire is interesting.  Contrary to the lwn.net story's
claim, Tripwire did _not_ originate under an open source model:

It was written by Gene Kim and Gene Spafford at Purdue's COAST Lab, with
copyright held by Purdue Research Foundation, and was among the many 
proprietary security packages widely _assumed_ (in error) to be free
software (like SSH after v. 1.2.12, COPS, SATAN, and PGP), because of
source-code availability.  But, like the others, it had permitted-usage,
USA-export, and patent restrictions.  Kim and Spafford then developed 
the code through v. 1.2 at COAST, at which time the project stagnated --
perhaps because of its restrictive licencing.

In 1997, Purdue Reseach Foundation (the code's owner) licenced exclusive
commercial rights to Gene Kim's new company, initially named Visual
Computing Corporation, then Tripwire Security Systems, Inc., and finally
Tripwire, Inc.  That company has released versions 1.3 through 2.2.1 as
proprietary, binary-only software (while furnishing source in an
"Academic Source Release" (ASR) variant subject to certain proprietary
restrictions).

The point is that Tripwire, Inc. may still be unclear on open-source
licencing -- as Tripwire has never used it, over its entire eight-year
history.  E.g, wording like the FAQ's statement that "There are 
currently no plans to make open source any of the other UNIX
versions..." makes one wonder if the company is aware that OSD-compliant
licences (http://www.opensource.org/osd.html) permit anyone to freely
port the code to additional platforms.

Additionally, one wonders what latitude Tripwire, Inc. will have in
deciding its licence -- since to my knowledge Purdue Research Foundation
still owns the underlying copyright, and has _not_ open-sourced its
property.

Meanwhile, the leading GPLed replacement for the proprietary Tripwire 
package, Rami Lehti's AIDE (Advanced Intrusion Detection Environment, at
http://www.cs.tut.fi/~rammer/aide.html) has already advanced to exceed
Tripwire ASR's capabilities, and of course benefits from the accelerated
development cycle characteristic of genuine open-source licencing.

In that sense, it would make sense for Tripwire, Inc. to genuinely
open-source its product, as that might help it to compete.

-- 
Cheers,                        My pid is Inigo Montoya.  You kill -9    
Rick Moen                      my parent process.  Prepare to vi.
rick (at) linuxmafia.com 

----- End forwarded message -----




More information about the linux-elitists mailing list