search

denimgroup / threadfix

ThreadFix is a software vulnerability management platform. This GitHub site is far out of date. Please go to www.threadfix.it for up-to-date information.
339 stars 127 forks source link

Future of open source Threadfix #461

Closed ghost closed 10 years ago

ghost commented 10 years ago

I saw this "license checks" commit https://github.com/denimgroup/threadfix/commit/057934fca9d03008d9ba250c7eefd9dc7a826092 and I have to ask if this is the start of the end of open source threadfix I think you should inform contributors about your plans if your going to finally close the public project and switch all contributions to the Enterprise version otherwise I don't think that this license checks commit belongs in here

dancornell commented 10 years ago

Thanks for raising this question as this is an important issue. Let me address a couple of points:

-We have NO plans to stop - or even slow - development on the open source version of ThreadFix. In fact we're increasing the pace of ThreadFix development and adding folks in both development and QA. If you take a look at these branches https://github.com/denimgroup/threadfix/commits/2.1final https://github.com/denimgroup/threadfix/commits/sbir-scanners https://github.com/denimgroup/threadfix/tree/qa hopefully you'll see that there is a LOT of stuff going on. All of the new scanners, Hybrid Analysis Mapping, IDE plugins, scanner plugins, defect tracker integration, etc work we are doing is going into the open source version of ThreadFix here on GitHub. -ThreadFix Enterprise DOES have some additional capabilities that are targeted toward large-scale enterprise deployments but the real benefit for most folks is the commercial support. You can see more info about what is in the open source and commercial version here: http://www.threadfix.org/pricing/ -The way the license check works in the open source version of ThreadFix basically says "I don't have a license, therefore don't limit the number of applications that can be added" There are also some other UI elements that get turned on when a license is installed. In a perfect world, ThreadFix would have a better feature plugin architecture where we could just bundle a couple of plugins to do the added features and there wouldn't be any mention of "license" in the open source code. Currently, however, ThreadFix doesn't have that in place, so the license check for Enterprise is a little inelegant, code-wise. -Anyone (not from Denim Group) who contributes code to ThreadFix signs a contributor agreement (similar to the MySQL agreement - we actually "borrowed" theirs) and I'm pretty sure all of them are very much aware of ThreadFix Enterprise. All of their contributions are released in the open source version. Actually our most active contributors are also ThreadFix Enterprise licensees so I feel like no one is in a position to be surprised.

As I said this is an important question and we do want to be transparent about what we're doing. I'll work to put together a blog post that is a bit more comprehensive in the next week or so. In the meantime please either continue this thread or feel free to shoot me an email directly dan at denimgroup dot com or track me down on Skype - I'm "danielcornell"

Thanks,

Dan