The Ashimmy Blog

I recently was asked a question on the snort.org mailing list regarding our Strata Guard Free freeware IDS/IPS.  SG Free has a snort engine as well as several other open source components, including a hardened Linux OS, open database and web server.  The person asking the question wanted to know why since we use these open source components, did we not have to make available the source code to Strata Guard Free itself.  Excellent question!  If you are not familiar with open source software and the licenses that govern them, it can be very confusing.  Before I explain why Strata Guard Free does not have to be open source, let me point you to a few sites that are excellent resources for questions on open source and licensing.  One is the Open Source Initiative which is not only an excellent source of information, but a real help to all involved in open source.  Within the site they have a list and links to all of the approved open source licenses as well.  There are many different licenses that govern the use of the various open source programs.  Most of the big ones and even some of the small ones can be found here.  Another good site is the Open Architecture Community System site and their understanding open source licensing page. Of course, perhaps the definitive site is the Free Software Foundation, the people behind the GPL, the most widely used open source license. Also, the mozilla.org license has become very popular for licensing open source products too.

Before I go any further, let me also caution anyone who is reading this that you should seek your own legal counsel and get your own experts advise, before making any decision on either using or developing software that contains open source components. All of the above not withstanding, the reason that Strata Guard Free does not have to be released under an open license is that it is not a derivative work of its open source components.  Rather than making any changes to any of the open source software that we use, we actually build our own software on top of the open source software.  That is we put information into the open source software and we take information out, but we do not change the code of the open source software.  Our software sits on top of this and performs its own functions without interacting or changing any code in the open source software.  Therefore, the StillSecure code is not derivative and does not then have to be licensed under an open license.  This distinction though it may appear subtle, is crucial in allowing commercial entities to build applications on open platforms and is very widely used. Of course their is a heavy burden on the developers to be constantly vigilant that you do not cross the line here.  If you do and your work is derivative of the open source software, you are obligated to make your software open source as well.  Therefore if you are looking to build software using open source and want to keep your software source closed, make sure you are very familiar with the law here and are extra careful in how you develop.  If you want to use software built like this, rest assured that if you deal with a reputable company, you should have no problem running afoul of any open source licensing issues.