Well, nothing like an open source project being bought by a company to cure my writers block. That’s right the company Rapid7 purchased the Metasploit project. Now, before panic sets in, they have committed to keeping the project open source and community based. This will no doubt lead to some raised eyebrows as some will agonize over the corporate spectre on this project. I have had some people privately comment to me that they aren’t overly happy with this as they don’t feel like doing Rapid7’s work for them pro bono.
A different view is that now the project has the resources to commit to growing and improving the Metasploit project.
I myself have yet to formulate an opinion either way. I would like to say thanks to my tipsters that gave me a heads up earlier this week.
Most importantly, congrats to HD Moore for seeing his love child grow to fruition!
From Metasploit:
I created the Metasploit Project over six years ago as way to publish security information to those who needed it most, the security professionals in the field. The project has evolved from a personal web site, to a collaborative effort with a small group of friends, and finally to the robust community-driven project that we know today. This progress came at the cost of the evenings, lunch hours, early mornings, and weekends of countless contributors who donate their time for the benefit of the community. The volunteer nature of the project has lead to innovation in niche areas and has driven research across a wide range of topics.
Read on for the full post.
…now if I could just get some one to buy Liquidma…er, nevermind.
🙂
Well Dave, it’s a legitimate thought of those that are worried about doing Rapid7’s work pro-bono … I’m sure (although they probably won’t admit it) this factored into the purchase decision. Rapid7’s ever-expanding offering is likely to get a big boost from the Metasploit project’s codebase and now they can use what they want, as they see fit.
Interestingly enough, nmap was never the same after it was “purchased” … but then again there wasn’t much of a commitment there. I’ll be interested to see how things pan out for the R7/Metasploit conglomeration … one thing’s for sure – there are now a *lot* of very intelligent people working on exploit-based attack as-a-point-and-click tool…
@Rafal
There is a reason that I pulled a Solomon approach to this news. I decided rather than put my opinion forward I thought it was more important to put forward the differing views on the subject. I am very happy for HD and Egypt. It’s always great to see folks from the community have their brass ring moment. I have seen similar situations go awry and I hope for nothing but, good things here. I just thought it was more important to show a balanced view.
@Rafal
Isn’t Metasploit all BSD licensed? If thats the case, there was nothing stopping Rapid7 from doing whatever they wanted with the code before this. If theres code in there that is GPL or other more restrictive licensing, that still applies. The main thing Rapid7 has bought here is the Metasploit name, HD, and the associated cred & buzz which will probably drive a lot of business their way.
As far as the “pro-bono” concerns…I understand having that emotion, but I’m not sure it makes sense. If you are contributing your own code, you can choose whatever license you like. That means you can choose a license which we allow you to retain control of your code. This is only a concern if Rapid7 enacts a clause that contributing any code to their codebas requires turning over your rights to it(as Sun did on OpenSolaris IIRC). I think thats unlikely, and it certainly hasnt been suggested.
The big example everyone likes of a popular open source project going closed is Nessus. If memory serves, the situation there was one where the only people really contributing were the ones that went to work at Tenable. Thats not the case with Metasploit currently, and more importantly: if the only people developing all work for the corporation, don’t they have the right to license however they want? I’d certainly prefer to have open source tools, but I’m not sure that we have the right to expect someone to license code they’ve written under terms we like best. The guy who puts in the time coding gets the right to make that decision. If people are unhappy theres always the fork option, as OpenVAS did.