In addition, the lack of maintenance development since the fork (in May 2008) means some parts of the code are falling apart already due to changes in Adito/ALS operating environment (the UNIX auth module, CIFS support in networkplaces…). Also, there are at least two known security vulnerabilities and expecting a fix would be unrealistic:
I had hoped that OpenVPN Technologies Inc. - my current employer, btw - would have allocated development resources into the project. However, after having long discussions with James (CTO) and Francis (CEO) we decided not to support OpenVPN ALS. Just for the record I fully agree with them on this. The rationale behind our decision boils down to this:
* We already have a similar product, OpenVPN Access Server, which
- serves 90% of the same needs as ALS
- we know very well (as we wrote it)
- does not require hiring JavaEE developers
* We only need the reverse proxy / replacement proxy capabilities of ALS, for which there other more lightweight solutions
* We do not wish to support) ALS as a separate product alongside Access Server
There are many generic problems with monetizing on OpenVPN ALS - the biggest problem being the GPLv2 license coupled with the lack of full copyright to the whole codebase. This prevents 3sp-style proprietary add-ons without going against the spirit of the license, e.g by trying to circumvent the GPLv2 limitations in "NVIDIA style". I can't think of any other commercial business model that would work for this particular project. I don't think there has been any significant demand for commercial support services, even though they've been available for a long time now:
To make things worse, the project is ill-suited for a community-driven project. There are quite a few reasons for this:
* There's very little high-level documentation available
* Codebase is very large and the components are tightly integrated, meaning that
- nobody really knows the codebase inside out well enough to help new developers
- the barrier to entry for new developers is _very_ high
- application maintenance is very costly
* The application is built on a semi-obsolete JavaEE framework (Struts Classic), which means that
- big parts would have to be rewritten soonish, probably in a couple of years
- the code is very difficult to understand unless you know Struts Classic conventions
* The scope of the application is very narrow which means that
- it can't be used as a building block for other projects (which would increase development effort)
- the userbase (=number of potential contributors/developers) is pretty small
Earlier I tried to organize s.c. "Joint commercial development" without any success:
The problem is that the companies that have SSL-Explorer/Adito/OpenVPN ALS customers seem to be small and either don't have JavaEE programmers on the payroll or can't allocate them to the project even part-time. This prevents any developers ever reaching a level of skill which would enable them to develop ALS itself, rather than just extensions. I have to assume that the lack of skills in community-driven OSS development also plays a part in this, so even if there are competent developers out there, they do not participate in the project.
Now, what can we do? Personally I can only see three ways forward for the project:
1) Discontinue the project and let it die slowly
2) Get a single entity to create a commercial version and give them our full support
3) Get a single entity to support the community version, but gather funding from the users
Currently we're clearly heading towards 1). Option 2) would probably require circumventing the GPLv2 license and proprietary add-ons to make commercial sense. I don't know of any company interested in that option, either.
I think 3) is least unrealistic, but would be very difficult to organize and manage. It's also quite difficult to make people pay for something they get for free - it's much easier to just have a nice ride and jump off when boat starts sinking. From Extension Store statistics I know that there are ~1700 Adito/ALS installations out there. However, I assume many/most of those are used by private persons who are unlikely to fund the project. Companies and other organizations might, if contributing is easy enough. I personally don't want to take responsibility for organizing this, though. I _am_ willing to help whoever wants to take the challenge. Now, there are ~60 people on both of our mailinglists and some unknown number of active people on the forums. So the only way to reach every installation we need to use the built-in RSS feed reader in ALS. I feel using that is necessary if we want to try option 3).
So what do _you_ think we should do with our project?
Samuli
PS. I have pondered most the above issues earlier on these Wiki pages:
i am running several OpenVPN and some Adito Servers.
Both systems have some advantages. But in OpenVPN there is one big missing: administrator-less clientinstall.
You configure the Server and the only Requirement on the clientside is needed: Java.
Nothing else, even no administrator privileges.
does there exist an appropriate replacement in OpenVPN for that?
best regards
thomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Greetings…I'm a Java developer and would be interested in helping out. I'd need to get trained up somewhat on how to build the system. A co-worker of mine uses OpenVPN and can help me get things working. As CTO of my company, I can offer some part-time expertise (Java, J2EE, etc). It would be good to re-vamp the architecture, but first we'd need to get really familiar with it - so help would be needed. Let's talk - what's the best way to move forward? I'll cross post to other list as well.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
R2AD is interested. Just need to find some time. I believe we have a few updates we could post - however our main question is whether or not to fork the development. Perhaps create a new project on sourceforge? Thoughts?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This Christmas break should be good to make some commits. I'll work to get a clean checkout on an Ubuntu system and then check-in some updates with support from a colleague who is an OpenVPN guru .
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Appreciate the offer - Might take you up on that. Next week I'm going to create a clean Ubuntu VM and will get a fresh check out of the baseline and then get it compiled/installed using the posted documentation. I may need some help as I perform those steps. I'll also collect notes, etc that might be helpful to others. Then we'll check in a minor change/fix to make sure all is a go.
- Michael
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've been using Adito for a few years and have written a few very simple extensions. I don't know how much help I can be but would be glad to try. Let me know if there's anything I can do.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Great if someone is doing something. It seems that OpenVPN stoped working on this!
I was searching the NET for anything similar but still came up with lint.
I have no Idea how to support, cause I can not program.
Now that Christmas is over a long time and this work is still in the 0.9.1.
So I did use it before but after the security holes poped up, I discontinued running it.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
(I've initiated this discussion simultaneously on both mailinglists and on the "Open Discussion" forum)
Hi all,
As you may have noticed, ALS has not been developed actively since last summer / early autumn:
* http://sourceforge.net/apps/trac/openvpn-als/wiki/scrum_chatlogs
* http://dir.gmane.org/gmane.network.openvpn.als.devel
In addition, the lack of maintenance development since the fork (in May 2008) means some parts of the code are falling apart already due to changes in Adito/ALS operating environment (the UNIX auth module, CIFS support in networkplaces…). Also, there are at least two known security vulnerabilities and expecting a fix would be unrealistic:
* <http://sourceforge.net/apps/trac/openvpn-als/ticket/2>
* <http://thread.gmane.org/gmane.network.openvpn.als.user/12>
I had hoped that OpenVPN Technologies Inc. - my current employer, btw - would have allocated development resources into the project. However, after having long discussions with James (CTO) and Francis (CEO) we decided not to support OpenVPN ALS. Just for the record I fully agree with them on this. The rationale behind our decision boils down to this:
* We already have a similar product, OpenVPN Access Server, which
- serves 90% of the same needs as ALS
- we know very well (as we wrote it)
- does not require hiring JavaEE developers
* We only need the reverse proxy / replacement proxy capabilities of ALS, for which there other more lightweight solutions
* We do not wish to support) ALS as a separate product alongside Access Server
There are many generic problems with monetizing on OpenVPN ALS - the biggest problem being the GPLv2 license coupled with the lack of full copyright to the whole codebase. This prevents 3sp-style proprietary add-ons without going against the spirit of the license, e.g by trying to circumvent the GPLv2 limitations in "NVIDIA style". I can't think of any other commercial business model that would work for this particular project. I don't think there has been any significant demand for commercial support services, even though they've been available for a long time now:
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/commercial_support_options>
To make things worse, the project is ill-suited for a community-driven project. There are quite a few reasons for this:
* There's very little high-level documentation available
* Codebase is very large and the components are tightly integrated, meaning that
- nobody really knows the codebase inside out well enough to help new developers
- the barrier to entry for new developers is _very_ high
- application maintenance is very costly
* The application is built on a semi-obsolete JavaEE framework (Struts Classic), which means that
- big parts would have to be rewritten soonish, probably in a couple of years
- the code is very difficult to understand unless you know Struts Classic conventions
* The scope of the application is very narrow which means that
- it can't be used as a building block for other projects (which would increase development effort)
- the userbase (=number of potential contributors/developers) is pretty small
Earlier I tried to organize s.c. "Joint commercial development" without any success:
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/joint_commercial_openvpn-als_development>
The problem is that the companies that have SSL-Explorer/Adito/OpenVPN ALS customers seem to be small and either don't have JavaEE programmers on the payroll or can't allocate them to the project even part-time. This prevents any developers ever reaching a level of skill which would enable them to develop ALS itself, rather than just extensions. I have to assume that the lack of skills in community-driven OSS development also plays a part in this, so even if there are competent developers out there, they do not participate in the project.
Now, what can we do? Personally I can only see three ways forward for the project:
1) Discontinue the project and let it die slowly
2) Get a single entity to create a commercial version and give them our full support
3) Get a single entity to support the community version, but gather funding from the users
Currently we're clearly heading towards 1). Option 2) would probably require circumventing the GPLv2 license and proprietary add-ons to make commercial sense. I don't know of any company interested in that option, either.
I think 3) is least unrealistic, but would be very difficult to organize and manage. It's also quite difficult to make people pay for something they get for free - it's much easier to just have a nice ride and jump off when boat starts sinking. From Extension Store statistics I know that there are ~1700 Adito/ALS installations out there. However, I assume many/most of those are used by private persons who are unlikely to fund the project. Companies and other organizations might, if contributing is easy enough. I personally don't want to take responsibility for organizing this, though. I _am_ willing to help whoever wants to take the challenge. Now, there are ~60 people on both of our mailinglists and some unknown number of active people on the forums. So the only way to reach every installation we need to use the built-in RSS feed reader in ALS. I feel using that is necessary if we want to try option 3).
So what do _you_ think we should do with our project?
Samuli
PS. I have pondered most the above issues earlier on these Wiki pages:
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/commercial_use_of_openvpn-als>
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/enterprise_extensions>
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/modernization_project>
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/standardization_project>
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/releasing_parts_of_openvpn-als_as_separate_projects>
* <http://sourceforge.net/apps/trac/openvpn-als/wiki/project_redesign>
There has been quite a lot of discussion about this issue on the devel and user mailinglists:
http://thread.gmane.org/gmane.network.openvpn.als.devel/33
Hi,
i am running several OpenVPN and some Adito Servers.
Both systems have some advantages. But in OpenVPN there is one big missing: administrator-less clientinstall.
You configure the Server and the only Requirement on the clientside is needed: Java.
Nothing else, even no administrator privileges.
does there exist an appropriate replacement in OpenVPN for that?
best regards
thomas
Greetings…I'm a Java developer and would be interested in helping out. I'd need to get trained up somewhat on how to build the system. A co-worker of mine uses OpenVPN and can help me get things working. As CTO of my company, I can offer some part-time expertise (Java, J2EE, etc). It would be good to re-vamp the architecture, but first we'd need to get really familiar with it - so help would be needed. Let's talk - what's the best way to move forward? I'll cross post to other list as well.
Hey guys,
Has there been any progress?
r2ad, have you been finally engaged in the project at all?
It is a pitty to abandon this project, which in my opinion is of high true value to the community.
Can we have an update of the current project status?
Thanks,
Nick
R2AD is interested. Just need to find some time. I believe we have a few updates we could post - however our main question is whether or not to fork the development. Perhaps create a new project on sourceforge? Thoughts?
This Christmas break should be good to make some commits. I'll work to get a clean checkout on an Ubuntu system and then check-in some updates with support from a colleague who is an OpenVPN guru .
R2ad did you say that you need to know how to set the Adito VPN on a box? For that I can help you.
Appreciate the offer - Might take you up on that. Next week I'm going to create a clean Ubuntu VM and will get a fresh check out of the baseline and then get it compiled/installed using the posted documentation. I may need some help as I perform those steps. I'll also collect notes, etc that might be helpful to others. Then we'll check in a minor change/fix to make sure all is a go.
- Michael
Sure I will help. I have installed Adito on Ubuntu 10.04, till then happy Christmas and a new year :-)
Hey all,
I've been using Adito for a few years and have written a few very simple extensions. I don't know how much help I can be but would be glad to try. Let me know if there's anything I can do.
Great if someone is doing something. It seems that OpenVPN stoped working on this!
I was searching the NET for anything similar but still came up with lint.
I have no Idea how to support, cause I can not program.
Now that Christmas is over a long time and this work is still in the 0.9.1.
So I did use it before but after the security holes poped up, I discontinued running it.