This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD) . FOSS is distinctive because it gives users the right to run, copy, distribute, study, change, and improve it as they see fit, without having to ask permission from or make fiscal payments to any external group or person. The autonomy properties of FOSS make it useful for DoD applications such as rapid responses to cyberattacks, for which slow, low-security external update processes are neither practical nor advisable, and for applications where rapid, open, and community-wide sharing of software components is desirable. On the other hand, the same autonomy properties complicate the interactions of FOSS with non-FOSS software, leading to concerns—some valid and some not—about how and where FOSS should be used in complex DoD systems.

The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is "freeware.") The phrase open source emphasizes the right of users to study, change, and improve the source code—that is, the detailed design—of FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights formulated in the late 1980s by Richard Stallman of the Free Software Foundation .

The goals of the MITRE study were to develop as complete a listing of FOSS applications used in the DoD as possible, and to collect representative examples of how those applications are being used. Over a two-week period the survey identified a total of 115 FOSS applications and 251 examples of their use .

To help analyze the resulting data, the hypothetical question was posed of what would happen if FOSS software were banned in the DoD. Surprisingly, over the course of the analysis it was discovered that this hypothetical question has a real-world analog in the form of proprietary licenses that if widely used would effectively ban most forms of FOSS . For the purpose of the analysis, the effects of the hypothetical ban were evaluated based on how FOSS is currently being used in survey examples. In the case of niche-dominating FOSS products such as Sendmail (ubiquitous for Internet email) and GCC (a similarly ubiquitous compiler), a large amplification factor must also be taken into account when estimating such impacts. The actual levels of DoD use of such ubiquitous applications is likely to be hundreds, thousands, or even tens of thousands of time larger than the number of examples identified in the brief survey.

The main conclusion of the analysis was that FOSS software plays a more critical role in the DoD than has generally been recognized. FOSS applications are most important in four broad areas: Infrastructure Support , Software Development , Security , and Research . One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD ) that currently help support network security. It would also limit DoD access to—and overall expertise in—the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks. Finally, it would remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack . Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks.

For Infrastructure Support , the strong historical link between FOSS and the advent of the Internet means that removing FOSS applications would result in a strongly negative impact on the ability of the DoD to support web and Internet-based applications. Software Development would be hit especially hard for languages such as Perl that are direct outgrowths of the Internet, and would also suffer serious setbacks for development in traditional languages such as C and Ada. Finally, Research would be impacted by a large to very large increase in support costs, and by loss of the unique ability of FOSS to support sharing of research results in the form of executable software.

Neither the survey nor the analysis supports the premise that banning or seriously restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use. MITRE therefore recommends that the DoD take three policy-level actions to help promote optimum DoD use of FOSS:

1. Create a "Generally Recognized As Safe" FOSS list. This list would provide quick official recognition of FOSS applications that are (a) commercially supported, (b) widely used, and (c) have proven track records of security and reliability—e.g., as measured by speed of closures of CERT reports in comparison to closed-source alternatives. Initial applications for consideration would include, but not be limited to, the set of 115 already-used applications identified by the survey in Table 2, plus other widely used tools such as Python (http://www.python.org/ ) that did not appear in this first set of results. In formulating the list, quick consideration should be given in particular to high value, heavily used infrastructure and development tools such as Linux ,OpenBSD , NetBSD , FreeBSD , Samba , Apache , Perl , GCC ,GNAT , XFree86 , OpenSSH , bind , and sendmail .
2. Develop Generic, Infrastructure, Development, Security, & Research Policies. The DoD should develop generic policies both to promote broader and more effective use of FOSS, and to encourage the use of commercial products that work well with FOSS. A good example of the latter is the Microsoft Windows Services for UNIX product, which relies on FOSS (GPL ) software to reduce development costs and dramatically increase its power. A second layer of customized policies should be created to deal with major use areas. For Infrastructure and Development, these policies should focus on enabling easier use of GRAS products such as Apache, Linux, and GCC that are already in wide use, but which often suffer from an ambiguous approval status. For Security, use of GPL within groups with well-defined security boundaries should be encouraged to promote faster, more locally autonomous responses to cyber threats. Finally, for Research the policies should encourage appropriate use of FOSS both to share and publish basic research, and to encourage faster commercial innovation.
3. Encourage use of FOSS to promote product diversity. FOSS applications tend to be much lower in cost than their proprietary equivalents, yet they often provide high levels of functionality with good user acceptance. This makes them good candidates to provide product diversity in both the acquisition and architecture of DoD systems. Acquisition diversity reduces the cost and security risks of being fully dependent on a single software product, while architectural diversity lowers the risk of catastrophic cyber attacks based on automated exploitation of specific features or flaws of very widely deployed products.

The author is deeply grateful to the following people, all of whom were gracious enough to review earlier versions of this document and make major contributions to the creation of this revised and greatly expanded version: Ira Rubinstein, David A. Wheeler, Tony Stanco, Frank Petroski, John D. Ramsdell, Bill Neugent, David H. Lehman, Robert F. Nesbit, Fritz Schulz, Dawn Meyerriecks, Flayo Kirk, Jan S. McNutt, Robert E. Cole, Robert Shepherd, William Curtis, Asghar Noor, and Jesse Pirocchi. The author would also like to thank all the MITRE and non-MITRE respondents who helped in the survey. In reverse alphabetical order these contributors include: Jim Van Zandt, Rob Wittman, Shawna Wimpy, George Wilson, Darryl Washington, Nathan Vuong, Gene Vogt, Gary Vecellio, Colin Valentine, Paul Valente, Stephen Upton, Porter Taylor, P Supko, Ed Shrum, Dan Scholten, Jacques Sabrie, Bryan Russina, Jarret Rush, Jeff Ross, Maureen Robinson, Frederick Potts, Bryant Obando, Doug Norman, John Morris, Mike McClimens, Mark Maybury, John Maurer, Karen Mason, Bill Mack, Dan Lowen, Daniel Loehr, Amlan Kundu, Anita King, Stephen Jones, Dan Jones, Mike Jay, David Jacobs, DeAnn Iwan, Bill Horton, Lee Hobbins, Jean Henchey, Ray Haller, Paul Grund, Steven Gosnell, Bob Goldsmith, James Finegan, Allen Epps, Alexander Enzmann, Perry Engle, Darren Dusza, Peter Dugan, Emil Derenzo, Ken Christy, Dave Burgess, Chuck Boeckman, CDR Christopher Biow, Carl Benkley, Matt Beebe, Scott Barman, Richard Baldwin, Pete Attas, Douglas Atkinson, Jon Anderson, and Dock Allen. Finally, I would like to thank the following people, also listed in reverse alphabetical order, for providing post-release corrections to report: John Worrall, David N. Welton, W. Craig Trader, Larry Sevilla, David Neeley, Melchior Franz, Alan Knowles, and Lee Doolan.

— Terry Bollinger, The MITRE Corporation

To receive the most recent version of this MITRE Corporation document, or to recommend any additions or changes to the document, please contact Terry Bollinger at terry@mitre.org .

List of Figures

List of Tables

1. Introduction
1. Purpose

This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD) . The goals of the MITRE study were to develop as complete a listing of FOSS applications used in the DoD as possible, and to collect representative examples of how those applications are being used. Over a two-week period the survey identified a total of 115 FOSS applications and 251 examples of their use (Table 2).

2. Document Overview

This document is extensively linked both internally and to relevant external web sites. To use the links, simply click on the underlined words or phrases in the electronic version. The paper version of the document also shows the addresses of external as both footnotes and as references in Appendix E. Please note that certain links to locations in Appendix F will not work if you do not have a copy of the separate file that contains that appendix.

Section 1 (this section) provides background information on FOSS, an overview of how the survey was conducted, and a summary of results. Section 2 provides an analysis of the survey results, focusing on understanding the types of FOSS users identified in the survey. Finally, Section 3 provides three major recommendations, which can also be found in the Executive Summary at the very beginning of this document.

The survey data and data breakdowns are provided in the form of six appendices. Appendix A lists the full set of 115 FOSS applications identified in the survey, and breaks them down by application area. Appendix B provides descriptions of the individual FOSS applications, with links to the examples of use identified for each tool. Appendix C provides a detailed breakdown by application area of which FOSS licenses are used by the identified applications. Appendix D is a lengthy appendix that provides the full text of every license used by the identified tools, as well as additional related licenses and license information. Appendix E summarizes references from the document, which can also be found as linked footnotes throughout the document. Finally, Appendix F contains a Sensitive But Unclassified (SBU) table of all the example uses of FOSS found in the survey. It is contained in a separate file.

3. Background: Questions and Answers About FOSS
1. What is Free and Open-Source Software (FOSS)?

Free and open-source software (FOSS) is software that gives users the right to run, copy, distribute, study, change, and improve it as they see fit, without them having to ask permission from or make additional payments to any external group or person. The word free in FOSS refers not to fiscal cost, but to the autonomy rights that FOSS grants its users. (A better word for zero-cost software, which lacks such rights, is "freeware.") The phrase open source emphasizes the right of users to study, change, and improve the source code—that is, the detailed design—of FOSS applications. Software that qualifies as free almost always also qualifies as open source, and vice versa, since both phrases derive from the same set of software user rights formulated in the late 1980s by Richard Stallman of the Free Software Foundation .

2. What is GPL Software?

The General Public License (GPL) is the original FOSS license, and GPL software is simply FOSS software that is covered by the GPL. The GPL was developed in the late 1980s by Richard Stallman as a way to convert his concept a software user’s Bill of Rights into a legally meaningful way to share and develop software. Since all FOSS originates directly or indirectly from Stallman’s original set of software user rights, the GPL tends to be the most accurate representation of the underlying principles of FOSS development.

The implications of this close link between the GPL and the underlying principles of FOSS can be seen in its overwhelming dominance among FOSS products. For example, over half of the software in the popular Red Hat Linux operating system is licensed under the GPL, and sites that support FOSS projects typically report that over 70% of their projects use the GPL. The results of the survey done for this report also support the dominance of the GPL, with 52% of the 115 identified applications being licensed wholly or predominantly under the GPL, and the next most popular type of license (BSD ) comprising a mere 6% of the total.

The most distinctive aspect of the GPL is its focus on the right of the software user to make autonomous decisions about how to use the software. GPL clauses ensure that individual users always retain the right to decide if, when, and how to use the software. For example, users always have the right to choose where and how to install GPL software, to analyze how it works, to change it, to decide if and when to release such changes, and even whether to sell original or modified GPL software at whatever price the market will bear. (Without the addition of distinguishing features or services, however, that market price will generally very low, since others can also sell or make copies of the same GPL software.) At no point in this process are GPL users required to ask for permission or guidance from outside entities or authorities, or to pay them additional fees, since the GPL itself provides all of the authorization required.

Another important and controversial Stallman innovation in the GPL was his use of transitive user rights to help ensure the rapid expansion of both the GPL user community and of the overall collection of GPL software. Transitive user rights mean that if anyone creates a new product that is based on the detailed design (source code) of an earlier GPL product, then they must provide any subsequent users of the new product with the same user rights that they had. In other words, the new work must also be placed under the GPL. Stallman realized that without this constraint the set of user rights provided by the GPL would evaporate over time as intermediate developers either neglected or explicitly chose not to convey the same level of autonomy to subsequent generations of users. Insisting on transitive user rights prevents this from happening, and ensures continued propagation of user rights. To balance the inclusive effect, however, Stallman made sure that it applied only when extensive, detailed use of the earlier GPL software was going on. It does not apply, for example, to those who are simply using (executing) GPL software, or to software that simply happens to exist on the same system as GPL software.

Stallman in effect postulated that if individual programmers were given the autonomy to use GPL fully, and that if such rights were always conveyed to all subsequent developers, the result would be explosive growth in both the number of participants and the capabilities of the resulting set of software. Stallman’s implicit postulate was largely validated over the course of the 1990s by the subsequent emergence of the World Wide Web, whose software components used and depended more upon GPL than on any other type of license. The full implications of Stallman’s work are yet to be seen, but via the Internet his principles have already had global consequences.

3. What is Open Source Software?

Open source software is FOSS that uses any license approved by the Open Source Initiative (OSI) in their convenient list of open source licenses . The OSI list is based on the open source definition , which in turn is heavily based on Stallman’s list of software user rights , but with the addition of several additional criteria intended to ensure fairness of the licenses. Both sets of criteria result in the selection of nearly identical sets of licenses, despite such differences.

4. Can FOSS Be Mixed with Proprietary Software?

A common assumption about FOSS licenses such as GPL is that their transitive user rights means they cannot be used with non-FOSS (e.g., government or proprietary) software. However, this is generally not the case; such mixing can generally be done in various ways. For example, even GPL with its strong protection of transitive user rights provides a number of mechanisms to allow such mixing (Figure 1). Microsoft provides a good example of an innovative use of one such mixing strategy in their Windows Services for Unix (SFU) product. This product uses proprietary software to build an initial bridge between Windows and UNIX operating systems, and then adds in GPL tools and utilities to extend greatly its overall emulation of UNIX. Users benefit from the extended functionality provided by the GPL components, while Microsoft benefits by avoiding the cost and time of re-developing the tools as proprietary software.

Figure 1 . Strategies for Mixing GPL and Proprietary Software

(a) Distribution Mixing – GPL and other software can be stored and transmitted together. Example: GPL software can be stored on the same computer disk as (most kinds of) proprietary software.

(b) Execution Mixing – GPL and other software can run at the same time on the same computer or network. Example: GPL and (unrelated) proprietary applications can be running at the same time on a desktop PC.

(c) Application Mixing – GPL can rely on other software to provide it with services, provided either that those services are either generic (e.g., operating system services) or have been explicitly exempted by the GPL software designer as non-GPL components. Examples include GPL applications running on proprietary operating systems or wrappers, and GPL applications that use proprietary components explicitly marked as non-GPL. Windows Services for UNIX 3.0 is a good example of commercial use of GPL application mixing.

(d) Service Mixing – GPL can provide generic services to other software. These services must be genuinely generic in the sense that the applications that use them must not depend on the detailed design of the GPL software to work. An example is linking a GPL utility to a proprietary software component by using the Unix "pipe" mechanism, which allows one-way flow of data to move between software components. This is the tightest form of mixing possible with GPL and other types of software, but it must be used with care to ensure that the GPL software remains generic and is not tightly bound to any one proprietary software component.

Note: GPL does not permit mixing of licenses when new software is directly derived from GPL source code;
such derived products must be licensed under GPL.

Since most FOSS licenses are similar in concept to the GPL, the mixing strategies listed in Figure 1 generally apply to other FOSS licenses as well. However, novel licenses should always be checked for unusual qualifiers or constraints. A number of FOSS licenses such as BSD provide additional ways to mix software types, such as through constrained direct integration of binary software into proprietary software.

5. Can FOSS Be Sold Commercially?

All of the major FOSS licenses, including GPL, permit commercial sale of FOSS software and products. The catch, however, is that since anyone can sell or copy the same software as you, the prices for FOSS products tend to be very low in the absence of other distinguishing features or services. In the late 1990s companies such as Red Hat and VA Software began to develop ways to provide commercial services in support of FOSS software products such as the Linux operating system. In the FOSS business model, such companies benefit from reduced long-term costs of supporting a large, complex code base, but they must also compensate for their loss of product uniqueness by stressing customer services and various forms of innovation in terms of new products and services. From a business support perspective the availability of companies that directly support FOSS products provides much the same kind of product and support continuity that organizations expect from proprietary software products.

6. How do FOSS Licenses Compare to Each Other?

As of mid 2002, nearly three dozen software licenses qualified as being open source , and thus FOSS, according to the defining criteria of the Open Source Initiative . In practice, however, only a small number of these licenses are widely used. Furthermore, less frequently used licenses are often based on or closely similar to more commonly used licenses. Table 1 summarizes a number of differences between four of the most important FOSS licenses. Additionally, the table includes the related concept of public domain software and an example of a proprietary software license that is notable for precluding the use of FOSS software.

Table 1 . A Comparison of FOSS and Related Licenses

License: Property			GPL	LGPL		BSD & MIT	Apache	Public Domain	Microsoft MIT4 EULA
a. Can be stored on disk with other license types			ü	ü		ü	ü	ü	(bans FOSS)5
b. Can be executed in parallel with other license types			ü	ü		ü	ü	ü	(bans FOSS)5
c. Can be executed on top of other license types			ü	ü		ü	ü	ü	(bans FOSS)5
d. Can be executed underneath other license types			ü 1	ü		ü	ü	ü	(bans FOSS)5
e. Source can be integrated with other license types				ü		ü	ü	ü	(bans FOSS)5
f. User decides if and when to publish derived code			ü 2	ü		ü	ü	ü	ü
g. Software can be sold for a profit			ü	ü		ü	ü	ü	ü
h. Binary code can be replicated by users as desired			ü	ü		ü	ü	ü
i. Binary code can be redistributed as desired			ü 3	ü		ü	ü	ü
j. Binary code can be used as desired by users			ü	ü		ü	ü	ü
k. New users always receive source code of derived works			ü	ü 6
l. New users receive full source modification rights for derived works			ü	ü 6
m. New users receive full redistribution rights for derived works			ü	ü 6
n. Binary code can be released without source code						ü	ü	ü	ü
o. Derived code can have a different type of license				7				ü
p. Original source can be incorporated into closed source products								ü
1 Provided that both programs are fully and independently usable in other unrelated contexts. 2 Provided that the binary code has not been previously released to the public. 3 Provided that source code is always redistributed along with the binary code. 4 The proprietary Microsoft MIT EULA is not related to the similarly named MIT (X/MIT) license. 5 Specifically bans use of: GPL, LGPL, Artistic, Perl, Mozilla, Netscape, Sun Community, and Sun Industry Standards. 6 The rights granted by LGPL do not necessarily extend to the applications linked into an LGPL library. 7 The LGPL does permit re-licensing under GPL as a special case, but not re-licensing under any other license type.
License Acronyms:
GPL –	GNU General Public License	(Microsoft) MIT –			Mobile Internet Toolkit
LGPL –	GNU Lesser General Public License	(X/MIT) MIT –			Massachusetts Institute of Technology
BSD –	Berkeley Software Distribution	EULA –			End-User License Agreement
MPL –	Mozilla Public License	FOSS –			Free and Open-Source Software

Properties (a) through (e) in the table examine the ability of a license to co-exist with other types of software, e.g., the ability of FOSS licenses to co-exist with proprietary software. In this category, the most exclusive license is easily the Microsoft MIT EULA license , which prohibits a number of FOSS licenses from co-existing on the same platform as the EULA software. No other FOSS or proprietary license encountered during the survey came close to this level of exclusivity. The GPL takes a very distant second place for exclusivity, since it forbids design-time incorporation of GPL source code into non-GPL source code. However, unlike the Microsoft MIT EULA, the GPL places no constraints on software simply running on the same system, and actually goes out of its way not to intrude on other licenses outside of that context. The GPL even allows non-GPL software to use GPL software as long as the two programs are not inextricably linked to each other (that is, they can both be used independently in other contexts). The GNU Lesser GPL (LGPL) is even more accommodating, allowing software to be directly incorporated into non-free software. The BSD and Apache license are still more accommodating by allowing distribution in binary form only. Finally, and not surprisingly, the most permissive category of all is public domain software, which allows essentially any use.

Properties (k) through (m) point out the flip side of the somewhat restrictive nature of the GPL: Its ability to ensure that later generations of users will inherit exactly the same rights to use, change, and redistribute GPL software as the first generation of users.

4. Overview of the DoD FOSS Survey

The data for the DoD FOSS survey was collected by email. The goal of the survey was to identify as complete a listing of the FOSS applications in use within the DoD as possible, and to document a diverse and representative set of examples of how these FOSS applications are being used. Over a two-week period the survey identified a total of 115 FOSS applications and 251 documented examples of how these applications are being used in the DoD. For purposes of completeness and comparison, a small number of cases were included in which the applications clearly do not meet FOSS criteria, but are related to FOSS in terms of availability of source code or use of FOSS-like processes for sharing work within limited communities. All such examples are noted as such, and should not be confused with applications that are unambiguously FOSS.

The set of 115 applications should include the majority of FOSS applications currently in use within the DoD, as judged by the increasing rate towards the end of the study at which new data points matched previously identified applications. The 251 examples of FOSS use are highly diverse both in terms of the DoD organizations represented and the types of applications. The set of examples likely includes most "big program" uses of FOSS, since explicit decisions to use FOSS in large programs generally led to multiple identifications of such programs in the survey responses. However, the examples clearly represent only the tip of an iceberg in terms the total number of facilities, operators, developers, researchers, and contractors using FOSS applications to support DoD work. For example, the GPL GCC compiler dominates C-language software development globally, and it has few competitors. This dominance makes it likely that the total instances of use of GCC by DoD software developers is hundreds or more likely thousands of times larger than the nine examples identified over the course of this short survey. The categories of FOSS applications that are most likely to have such large amplification factors are software development, web support, and network administration, which are all areas where FOSS applications are traditionally strong.

5. Survey Details

The detailed results of the survey are available in the form of a Sensitive But Unclassified (SBU) Appendix F. By placing this document and Appendix F in the same folder with the original filenames, Appendix F recipients can use hyperlinks from this document to access relevant data.

6. Analysis Approach

To help analyze the resulting data, the hypothetical question was posed of what would happen if FOSS software were banned in the DoD. Surprisingly, over the course of the analysis it was discovered that this hypothetical question has a real world analog in the form of proprietary licenses that if widely used would effectively ban most forms of FOSS . A corollary question is what the impact of banning the GPL alone would be, although many FOSS licenses are too much like GPL to make this distinction easy. The survey found that the GPL sufficiently dominates in DoD applications (Table 9) for a ban on GPL to closely approximate a full ban of all FOSS.

7. Summary of Results

The main conclusion of the analysis was that FOSS software plays a far more critical role in the DoD than has been generally recognized. The value of FOSS to the DoD appears to be greatest in four broad categories: Infrastructure Support , Software Development ,Security , and Research .

1. Infrastructure Support

While commercial equivalents Infrastructure FOSS applications are generally available, banning FOSS products would nonetheless result in a significant short-term cost spike as low-cost FOSS networking and web applications are replaced purchased proprietary equivalents. Ironically, there is no evidence that such a conversion would result in performance benefits. Since much of the infrastructure of the Internet was created under the FOSS model, its infrastructure applications such as Apache are generally older, more functionally mature, and less likely to fail than much more recent proprietary equivalents.

2. Software Development

A FOSS ban would have an especially negative impact on DoD software development. Development projects that use FOSS versions of the C and Ada programming languages would face costly translations to proprietary compilers and run time support packages. For the latter case of Internet-based languages such as Perl , recovery would be especially difficult since there are no immediately available commercial equivalents.

3. Security

One of the more unexpected results of the survey was the degree to which DoD security depends on FOSS applications and strategies. Banning FOSS in this area would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. This is in part because such a ban would prevent DoD groups from using the same analysis and network intrusion applications that hostile groups could use to stage cyberattacks. It would also remove the uniquely FOSS ability to change infrastructure source code rapidly in response to new modes of cyberattack. More interestingly, the GPL turns out to be surprisingly well suited to use in security environments because such environments include existing well-defined abilities to protect and control release of confidential information. This existing awareness largely removes the risk of premature release of GPL source code by developers, while maximizing the ability of those same developers to make effective use of the autonomy of decision provided by the GPL.

4. Research

DoD research would also be seriously damaged by a ban on FOSS. In this case, both cost and capabilities are important factors. Research efforts often use FOSS to extend limited budgets and allow them to focus more quickly on their research agendas. In terms of capabilities, FOSS provides resources such as mathematical software and the ability to link PCs into supercomputers for which there are no equivalent commercial alternatives. Finally, the FOSS method itself provides a form of "active publishing" that researchers use to share not just printed results, but software that can be immediately used to support further work.

2. Analysis of FOSS Survey Results
1. Types of DoD FOSS Users

The survey showed that the majority of DoD FOSS users are simply using the software without modifying the source, and in most cases without even looking at it. Such users are unaffected by the FOSS licenses of those applications. However, there are also cases where a project may choose to use FOSS licenses, or where the implications of the licenses need to be understood. The main categories of DoD FOSS users identified in the survey are described below.

1. Operational Users

As anticipated, the majority of the users in the survey only used their applications operationally – that is, without looking at or using the source code for them. Examples include using Linux, Apache, OpenBSD, and a variety of security applications.

2. Scripting and Basic Code Development Users

This category was also large. It includes using language and scripting applications such as Perl, GCC, bash, and JBoss to write simple scripts and code packages. Perl in particular was the single most widely used FOSS application in the survey. In terms of licensing, this category is similar to operational except for one difference: any libraries of parts that are used should be checked to make sure that they do not use licenses (e.g., the GPL) that would inadvertently require the new software to be FOSS also.

3. Advanced Code Development Users

This is a much smaller category that mostly includes cases where large, complex library routines (e.g., scientific and parallel processing routines) need to be incorporated into new software. While it may be worth doing this kind of work under a FOSS model, such decisions should not be made accidentally, but should be decided ahead of time.

4. FOSS Sponsors

Finally, the smallest group of DoD projects consisted of those that had explicitly decided to use a FOSS model to promote non-DoD development work on their project. The two main examples of this in the survey are SELinux (Secure Linux), which is a FOSS effort sponsored by the NSA, and CVW (Collaborative Virtual Workspace), which was initially developed by The MITRE Corporation for DoD use. While small numerically, this category is interesting because it demonstrates examples of the DoD and its associates using a FOSS model to help promote software advances in a larger overall community.

2. Observations

Some of the more surprising results of the data are given below.

1. FOSS Software is Vital to DoD Information Security

The survey identified 44 examples where organizations involved in DoD Security use FOSS software. The FOSS communities contribute to DoD security in two ways. Firstly, it has produced infrastructure software such as OpenBSD with low rates of software failure combined with early and rapid closure of security holes, which makes such systems useful as the security linchpins in broader security strategies. Secondly, the FOSS communities have had a long-term fascination with developing more and more sophisticated applications for identifying and analyzing security holes in networks and computers, resulting in FOSS products such as SARA and Snort that are invaluable to in-depth analyses of security risks.

The incentive for creating network analysis applications is different, but still deeply embedded in the psychology of FOSS development. In this case there is a strong competitive thread to FOSS developers that encourages them both to demonstrate flaws in the systems of others, while proving the reliability of their own systems. This gaming psychology tends to produce an "arms race" mentality in which both the strategies for analyzing weaknesses and the ability to defend against attacks are constantly improving.

Yet another important way in which FOSS contributes to security is by making it possible to change and fix security holes quickly in the face of new modes of cyberattack. This ability, which allows rapid response to new or innovative forms of cyberattack, is intrinsic to the FOSS approach and generally impractical in closed source products.

2. DoD Web Infrastructures Would Be Hit Hard

Infrastructure was the single largest category of DoD use of FOSS applications (see Table 3). This is in part because the Internet itself developed around a largely FOSS approach, with many of its most mature and widely used components (e.g., Apache ,Sendmail , or Qmail ) being FOSS. Consequently, it is difficult to construct an effective web or Intranet without relying on at least some minimal level of FOSS applications, as reflected by the large number of examples of FOSS infrastructure reliance identified by the survey. If rigorously enforced, a full ban on the use of FOSS web components within the DoD would result in at least a temporary shutdown of many or most of its web-based network and services. Even when commercial equivalents to FOSS web products are available, the relative immaturity of the commercial equivalents could increase risks for DoD infrastructures.

3. DoD Research Relies Heavily on FOSS for Synergy

For some components of the DoD research community, FOSS software acts as a sort of "active publication" medium in which important results are posted in the form of software and collectively improved by the entire community. This effect is especially strong in numeric processing and simulation, where FOSS products provides some of the best processing methods and software available anywhere. A ban on FOSS software here would both slow the exchange of ideas and make certain types of research (e.g., research based on supercomputer networks of low-cost PCs) impractical.

4. Cost Is Seldom the Only Reason for Choosing FOSS

More often than not, the strongest deciding factors for choosing FOSS products were capability and reliability, with cost being an important but secondary factor. In the small number of cases where groups chose to use FOSS software purely for cost reduction reasons, they were more likely to be disappointed by issues such as incompatibility with closed source systems that they were attempting to replace or complement.

5. Software Development Would Be Hit Hard

FOSS languages and applications such as GCC for the C language and GNAT for Ada have become so endemic in software development that a full, rigorously enforced ban on using FOSS could bring affected DoD software development projects to a halt. Such a ban would also remove a number of widely used program development applications such as CVS and GDB . The impact of a ban would be even more severe for development in languages such as Perl , which is a relatively recent language that has become an integral part of the Internet, and which is also widely to build "glue code" for integrating software applications. While commercial alternatives exist for older languages such as C and Ada, they are generally neither as mature or as portable across platforms as the FOSS equivalents. In the case of languages such as Perl that originated as FOSS, commercial alternatives do not exist, and applications would need to be translated into other languages.

3. An Analysis of Approaches to DoD FOSS Policy

In this section, a number of possible approaches to DoD FOSS policy are described and briefly analyzed for their likely consequences.

1. Approach #1: Ban All DoD Use of FOSS

The implementation of a DoD policy that bans any use of FOSS products would likely have interesting (and largely negative) short-term and long-term impacts on DoD cost, reliability, and capability. Figure 2 shows a notional estimate of such impacts on DoD FOSS users.

Figure 2 . Likely Impacts on Users of Banning FOSS



The short-term impacts would be the most serious. These impacts reflect both that the DoD already makes significant use of FOSS applications, and that a number of FOSS capabilities (particularly in the areas of high-end computing, security, and Internet-oriented software development) and security) are not readily available from closed-source COTS products. Short-term impacts on security would be especially bad due to the need to replace reliability- and security-focused systems such as OpenBSD with COTS systems that often have notable security and reliability issues . Over the long term, however, security would probably gradually improve as the closed-source COTS vendors continue to fix bugs and security flaws that were already absent from the FOSS products that they replaced.

Costs would also take a significant short-term hit as the low-cost and no-cost FOSS components are replaced with purchased proprietary products. Overall costs would then likely come down during an interim period. However, in the long term removing FOSS would remove an important source of price and quality competition. Without the constant pressure of low-cost, high-quality FOSS product competing with the closed-source products, the closed-source vendors could more easily fall into a cycle in which their support costs balloon and costs are passed on to their locked-in customers.

Capability would be negatively affected in both the short and long term, especially for high-end scientific and research computing that would lose resources such as libraries of high-quality mathematical software and support for high-end computing . Software development could become a difficult process, since the GCC family of compilers for C, C++, and other languages has become so prevalent that few similarly platform-independent alternatives exist. Development and support of Ada programs would be similarly affected, since the FOSS GNAT compiler dominates the Ada language in much the same way that GCC dominates C.

Ironically, a thoroughly rigorous and systematic ban on DoD use of FOSS could also affect a number of proprietary product that rely on FOSS products that permit incorporation of FOSS into their closed-source products. For example, Microsoft Office uses the FOSS zlib collection of data compression software, and thus could technically be banned as a product that incorporates FOSS software.

Finally, it should be noted simply using GPL software in combination with proprietary or closed-source government software does not have any affect the licensing of the non-GPL software. The GPL only requires that new source code that directly incorporates GPL software be made GPL, which is not the case for operational (e.g., infrastructure and security) use of GPL applications.

2. Approach #2: Limbo Status

At present, FOSS is neither approved nor disapproved in most parts of the DoD. This limbo status makes program, project, and developer decisions regarding FOSS difficult. Developers are often aware of the benefits of FOSS products for certain types of applications, but are unwilling to share that knowledge with their supervisors or commanding officers for fear that they will be told that they are using "unapproved" applications.

This de facto limbo-status policy of the DoD towards FOSS is unfortunate, since based on the way in which FOSS are being used, it is likely that the DoD would benefit from more use of FOSS rather than less. For example, although the FOSS Apache web server is mature, capable, and has an superior track record as measured the number of security holes on public tracking sites such as CERT , it is sometimes avoided on DoD sites simply because site administrators are unsure of its status. In such cases, a policy that explicitly permits the use of Apache would likely result in both improved overall reliability and lower costs for the DoD.

3. Approach #3: Selective FOSS Approvals

In this scenario, selected well-known and well-established FOSS products such as Apache, OpenBSD, GCC, GNAT, and Red Hat Linux would be selectively approved for DoD-wide use.

This approach would have immediate and largely beneficial effects, since many of these programs are already heavily in use in the DoD and have many users and supporters already in place. Approval would allow immediate broader use of such applications by users who for the most part will already be familiar with how to install and use them. Costs would drop in both the short and long term as more costly applications are replace by FOSS products such as Apache that are almost universally considered to be higher quality. Reliability and security would also improve, given that several of these well-known products already have established track records in these areas. Finally, capabilities would improve as the capabilities of these systems are distributed to more and more sites, and in some cases used to upgrade older systems. For example, Linux can often be used to increase the reliability and performance of older systems that are not capable of upgrading to new, much heavier-weight versions of Windows.

The main disadvantage of this approach would be that the selective approval process would likely overlook many of the smaller but highly important niche uses of FOSS, such as some of the security and numeric processing applications.

4. Approach #4: Security, Infrastructure, Research, and Development

This approach would provide DoD approval for using FOSS products in four general areas: Infrastructure Support, Software Development, Security, and Research. Rather than providing a fixed list, this approach would provide broad guidelines for selecting FOSS products in each of the areas, as well as specific lists of pre-approved products.

For Infrastructure Support , users would be able to select widely used and commercially supported FOSS applications such as Linux , Apache , OpenBSD , and other applications related to supporting the information infrastructure of an enterprise. A list of recommendations would be provided, but would not be exclusive. Groups would be able to choose other Infrastructure FOSS products if they meet the overall criteria for acceptable Infrastructure FOSS products. This category would never involve any kind of software development, and so would be unaffected by the special licenses of FOSS.

For Software Development , relevant FOSS applications such as Perl ,CVS , GCC , GNAT ,JBoss , Emacs , and others would be listed explicitly, and others allowed if they meet overall criteria for such applications. In contrast to Infrastructure and Security, users would be required to know and understand the particulars of the FOSS licenses of their applications, so that they are away of areas that could invoke FOSS licenses. For example, the LGPL license used with the C libraries of the GCC compiler does not involve FOSS licenses for any software developed, but there are other examples of C libraries that use GPL licenses that would affect software that uses them. Users of Development FOSS products should be aware in particular of the status of any library software that they use. Invoking a FOSS license could be done intentionally, such as to make better use of a community of like-minded developers outside of a government organization, but it should never be invoked accidentally (e.g., by not checking to see whether a library of components is under the LGPL or GPL).

An example of an area where explicit FOSS development policies would be useful is in the selection and use of FOSS software libraries. This need to be selected with some care, since for example libraries that use the GPL may require that software developed using those routines be GPL also. The GNU Scientific Library (GSL) , for example, contains many useful scientific routines, but was not used by any of the respondents. One respondent indicated that he had specifically avoided the GSL because of its use of GPL. While choosing to use GPL libraries may be appropriate if the goal is to contribute new features to a broader community, such libraries may be conversely be inappropriate when such release is not the desired goal.

For Security , users would similarly have a list of known, recognized products to use for non-development applications, plus guidelines for selecting other products. Guidelines for selecting Security FOSS products would be more stringent than for Infrastructure, since many security-related FOSS products could damage a system or network if used improperly.

Approval for Research use of FOSS would be similar to that for Development, but with more emphasis and leeway for sharing results and contributing to a community of developers. As with Development, though, software should not be made FOSS accidentally, but only by an explicit (and approved) decision to do so.

5. Approach #5: Advocating FOSS Products

There is a point of diminishing returns in all things, and in the case of FOSS, trying to force people to use FOSS products when it is not their own choice is likely well past that point. This is especially true since many of the highest quality FOSS products seem to show up in areas such as infrastructure, security, development, and research. All of these areas share the feature that they include people who are interested in pushing the limits of what they can do with a system or software, rather than simply using the software operationally. In contrast, desktop applications have tended to stay more stubbornly in the realm of closed-source COTS, at least for now.

In short, FOSS seems to work best when people come to it, and not vice-versa. In the study, one of the small number of negative reactions to using a FOSS product (GCC) came as a result of force-fitting it into a situation where compatibility with a closed source compiler was more important than the low cost of the GCC compiler. Anecdotal evidence tends to confirm the idea that using FOSS products only to "save money" is not necessarily a good idea , especially if the fit to the problem is not that good. Such products are best chosen because they have features that are desirable for how they will be used.

4. Conclusions

Based on the above analysis, the FOSS policy approach that appears most likely to benefit the DoD would be a combination of the third (selective approvals) and fourth (security, infrastructure, research, and development based) approaches. The resulting recommendation is summarized in the next and final section of this report.

3. Recommendations

Neither the survey nor the analysis supports the premise that banning or seriously restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the combination of an ambiguous status and largely ungrounded fears that it cannot be used with other types of software are keeping FOSS from reaching optimal levels of use. MITRE therefore recommends that the DoD take three policy-level actions to help promote optimum DoD use of FOSS:

1. Create a "Generally Recognized As Safe" FOSS list. This list would provide quick official recognition of FOSS applications that are (a) commercially supported, (b) widely used, and (c) have proven track records of security and reliability—e.g., as measured by speed of closures of CERT reports in comparison to closed-source alternatives. Initial applications for consideration would include, but not be limited to, the set of 115 already-used applications identified by the survey in Table 2, plus other widely used tools such as Python (http://www.python.org/ ) that did not appear in this first set of results. In formulating the list, quick consideration should be given in particular to high value, heavily used infrastructure and development tools such as Linux ,OpenBSD , NetBSD , FreeBSD , Samba , Apache , Perl , GCC ,GNAT , XFree86 , OpenSSH , bind , and sendmail .
2. Develop Generic, Infrastructure, Development, Security, & Research Policies. The DoD should develop generic policies both to promote broader and more effective use of FOSS, and to encourage the use of commercial products that work well with FOSS. A good example of the latter is the Microsoft Windows Services for UNIX product, which relies on FOSS (GPL ) software to reduce development costs and dramatically increase its power. A second layer of customized policies should be created to deal with major use areas. For Infrastructure and Development, these policies should focus on enabling easier use of GRAS products such as Apache, Linux, and GCC that are already in wide use, but which often suffer from an ambiguous approval status. For Security, use of GPL within groups with well-defined security boundaries should be encouraged to promote faster, more locally autonomous responses to cyber threats. Finally, for Research the policies should encourage appropriate use of FOSS both to share and publish basic research, and to encourage faster commercial innovation.
3. Encourage use of FOSS to promote product diversity. FOSS applications tend to be much lower in cost than their proprietary equivalents, yet they often provide high levels of functionality with good user acceptance. This makes them good candidates to provide product diversity in both the acquisition and architecture of DoD systems. Acquisition diversity reduces the cost and security risks of being fully dependent on a single software product, while architectural diversity lowers the risk of catastrophic cyber attacks based on automated exploitation of specific features or flaws of very widely deployed products.

1. Lists of Applications
1. Full List of FOSS Applications Used in the U.S. DoD

Table 2 lists the 115 FOSS applications identified by the survey. Note if you are looking at the electronic version of this document, you can use Table 2 as a quick index into the list of application descriptions (Table 7) by clicking on the name of an application.

Table 2 . Quick List of FOSS Software Used in the U.S. DoD

A	ACE	ACE ORB (TAO)	ACID	AMANDA	Apache	Autoconf	Automake
B	bash	Bastille	BIND
C	C++ Boost	CIS Benchmarks	Colt	Condor	COPS	Crack	CVS
	CVW	Cygwin
D	DDD	DjVuLibre
E	EADSIM	Emacs	eTrust	Expect
F	FreeBSD
G	GateD	gawk (awk)	GCC	GDB	Ghostscript	GNAT	GnuPG
	gnuplot	grep
H	h2n	HOSTS
I	ImageMagick
J	JADE	Jakarta	Jaxen	JBoss	JDOM	Jikes	jSIP
K	Kaffe
L	LaTeX	Linux	Linux (Red Hat)	Linux firewalls	Lsof
M	m4	Majordomo	make	Maxima	MIMEsweeper	MRTG	MTR
	MySQL
N	Nessus	NetBSD	NetSaint	nload	Nmap	ntop	NTP
O	Octave	OpenBSD	OpenMap	OpenOffice	OpenSSH	OpenSSL
P	Perl	Perl CGI scripts	PerLDAP	PHP	PingScan	Procmail
Q	Qmail
R	R	RealSecure	RRDtool	RTLinux	RWhois	RXVT
S	Samba	SARA	SATAN	Saxon	SCA	sed	SELinux
	Sendmail	SNARE	Snort	Squid
T	Tcl/Tk	TCP Wrappers	Tomcat	Top	Tripwire
U
V	VisAD	VOCAL	VTK
W	Webmin	WebTAS	Weka	WU-FTPD
X	Xalan	Xerces	XFree86	XGobi	Xpatch
Y
Z	zlib	Zope

2. 
   
3. Breakdown by Use

In this section, the 115 applications of the survey results were regrouped based on the (often multiple) ways in which they are being used. The result was four overlapping sets: Infrastructure Support (65 applications), Software Development (53 applications), Security (44 applications), and Research (21 applications).

1. Infrastructure Support Applications

Table 3 lists the 65 FOSS applications used in DoD infrastructure support. For online users of this document, this table is linked into the application description table (Table 7) and can be used as an index for perusing security-related FOSS applications. To return to this table instead of the main index after reading about an application, hold down Alt and press the left arrow key.

Note that although Security can be viewed as an aspect of Infrastructure Support, applications that were used only for security are listed separately in Table 5, rather than in this table. Some applications (e.g., NetSaint) are listed in both tables since they can support both ordinary network administration and security-oriented activities.

Table 3 . Infrastructure Support Applications

A	ACE	ACE ORB (TAO)	AMANDA	Apache
B	BIND
C	Condor	CVW	Cygwin
E	EADSIM	Emacs
F	FreeBSD
G	GateD	gawk (awk)	Ghostscript	GnuPG	grep
H	h2n
I	ImageMagick
J	Jaxen	JBoss	JDOM
L	LaTeX	Linux	Linux (Red Hat)	Linux firewalls	Lsof
M	Majordomo	MRTG	MTR	MySQL
N	NetSaint	nload	Nmap	ntop	NTP
O	OpenBSD	OpenMap	OpenOffice	OpenSSH	OpenSSL
P	Perl	Perl CGI scripts	PerLDAP	PHP	PingScan	Procmail
Q	Qmail
R	RRDtool	RTLinux	RWhois
S	Samba	SCA	sed	SELinux	Sendmail	Squid
T	Tomcat	Top
W	Webmin	WU-FTPD
X	Xalan	Xerces	XFree86
Z	zlib	Zope

 

2. Software Development Applications

Table 4 lists the 53 FOSS applications used in DoD software development. For online users of this document, this table is linked into the application description table (Table 7) and can be used as an index for perusing security-related FOSS applications. To return to this table instead of the main index after reading about an application, hold down Alt and press the left arrow key.

Table 4 . Software Development Applications

A	ACE	ACE ORB (TAO)	Autoconf	Automake
B	bash
C	C++ Boost	CVS	Cygwin
D	DDD	DjVuLibre
E	Emacs	Expect
F	FreeBSD
G	GateD	GCC	GDB	GNAT	GnuPG
H	h2n
I	ImageMagick
J	JADE	Jakarta	Jaxen	JBoss	JDOM	Jikes	jSIP
K	Kaffe
L	LaTeX	Linux
M	m4	make	MySQL
N	NetBSD
O	OpenMap	OpenSSH
P	Perl	PHP
R	RTLinux	RXVT
S	Saxon	SCA
T	Tcl/Tk	Tomcat
V	VOCAL	VTK
W	WU-FTPD
X	Xalan	Xerces	XFree86
Z	zlib	Zope

 

3. Security Applications

Table 5 lists the 44 FOSS applications used in DoD security applications. For online users of this document, this table is linked into the application description table (Table 7) and can be used as an index for perusing security-related FOSS applications. To return to this table instead of the main index after reading about an application, hold down Alt and press the left arrow key.

Table 5 . Security Applications

A	ACID
B	Bastille
C	CIS Benchmarks	COPS	Crack
E	eTrust	Expect
F	FreeBSD
G	GCC	GnuPG
H	HOSTS
L	Linux	Linux (Red Hat)	Linux firewalls	Lsof
M	MIMEsweeper	MRTG	MTR	MySQL
N	Nessus	NetSaint	nload	Nmap	ntop
O	OpenBSD	OpenSSH	OpenSSL
P	Perl	Perl CGI scripts	PerLDAP	PHP
Q	Qmail
R	RealSecure	RRDtool
S	SARA	SATAN	SELinux	SNARE	Snort	Squid
T	Tcl/Tk	TCP Wrappers	Tripwire
W	Webmin

 

4. Research Applications

Table 6 lists the 21 FOSS applications used in DoD research. For online users of this document, this table is linked into the application description table (Table 7) and can be used as an index for perusing security-related FOSS applications. To return to this table instead of the main index after reading about an application, hold down Alt and press the left arrow key.

Table 6 . Research Applications

A	ACE ORB (TAO)
C	Colt		Condor	CVW
E	EADSIM
G	GateD		gnuplot
J	JADE		Jikes	jSIP
L	Linux
M	Maxima
O	Octave
R	R
S	SCA
V	VisAD		VOCAL	VTK
W	Weka
X	XGobi		Xpatch

2. Application Descriptions
1. Application Descriptions

Table 7 describes the applications, provides references for finding them on the Internet, and lists the 251 identified instances of DoD use of the applications, including email contact points for each instance. The applications are organized alphabetically by FOSS application. The application descriptions include links back to the main index table (Table 2) to make rapid browsing easier. The information in this table was last updated on August 7, 2002.

Table 7 . FOSS Software Used in the U.S. DoD

Application	Description	License	References
ACE (1 example)	ACE = ADAPTIVE Communication Environment. ACE is a toolkit for creating software to perform common cross-platform network communication tasks. ACE helps create software for demultiplexing, event handler dispatching, signal handling, service initialization, interprocess communication, message routing, dynamic reconfiguration of distributed services, shared memory management, concurrent execution, and process synchronization. The TAO real-time CORBA ORB is a major component of ACE.	ACE/TAO	http://www.cs.wustl.edu/~schmidt/ACE-overview.html http://www.riverace.com/ http://www.theaceorb.com/product/aboutace.html
ACE ORB (TAO) (3 examples)	TAO is a standards-based (CORBA) "Object Request Broker" (ORB) that allows programs located on many networked computers to work together securely and in real-time.	ACE/TAO	http://www.cs.wustl.edu/~schmidt/TAO.html http://www.theaceorb.com/
ACID (1 example)	ACID = Analysis Console for Intrusion Databases. ACID is a PHP-based analysis engine used to search and process databases of security events generated by various intrusion detection systems, firewalls, and network monitoring tools.	GPL	http://www.cert.org/kb/acid/
AMANDA (1 example)	AMANDA = Advanced Maryland Automatic Network Disk Archiver. AMANDA allows a single master backup server to back up large sets of workstations running multiple versions of Unix. AMANDA can also use SAMBA to back up Microsoft Windows 95/NT systems.	BSD	http://www.amanda.org/
Apache (22 examples)	A web server is the software that presents web pages to Internet users. Apache is easily the most popular and widely used web server (open or closed source) on the Internet. It is popular for its reliability, security, range of features, and low cost.	Apache	http://www.apache.org/
Autoconf (1 example)	Autoconf adapts software source code to many kinds of Unix-like systems without manual user intervention.	GPL	http://www.gnu.org/software/autoconf/
Automake (1 example)	For software development, Automake generates Makefiles that are compliant with GNU coding standards.	GPL	http://sources.redhat.com/automake/
bash (2 examples)	The default command line interface for Linux. It is used both to create scripts (high level programs), and to interact directly with the operating system.	GPL	http://www.gnu.org/software/bash/bash.html
Bastille (1 example)	The Bastille Hardening System is a package of adjunct software that can be used to "harden" the Linux operating system. The goal of Bastille is to provide the greatest possible security while keeping the system easy to use. Bastille currently supports the Red Hat and Mandrake Linux distributions, and in late 2002 to early 2003 is also expected to support the Debian, SuSE, and TurboLinux distributions of Linux. Support for the proprietary HP-UX operating system is also planned.	GPL	http://www.bastille-linux.org/ http://sourceforge.net/projects/bastille-linux/
BIND (3 examples)	BIND = Berkeley Internet Name Domain. It is BIND that allows easy-to-use URL text names (e.g., place.com) to be used to identify web sites, instead of the long numeric addresses that the Internet itself uses. Nearly all systems and commercial software that connect to the Internet use BIND.	ISC	http://www.isc.org/products/BIND/
C++ Boost (1 example)	C++ Boost is a web site that provides a broad range of free, portable, high-quality, peer-reviewed C++ source libraries. The site emphasizes compatibility with the C++ Standard Library, and holds many candidates for eventual inclusion in than library.	C++ Boost	http://www.boost.org/
CIS Benchmarks (1 example)	CIS = Center for Internet Security. The CIS Benchmarks are a set of documents that specify in detail how to configure common operating systems for maximum security. An associated collection of freeware Scoring Tools provide automated checks of how closely a given system comes to meeting the Benchmark specifications. The Benchmarks documents are developed and maintained using an easily-to-join community-style (limited FOSS) development process. However, the associated scoring tools are zero-cost freeware, not FOSS, and are provided in binary form only (no source code). (See the HOSTS tool for a FOSS analog to the CIS Scoring Tools.)	Community (CIS)	http://www.cisecurity.org/
Colt (1 example)	Colt is a free collection of high-quality scientific and mathematical software written in Java. It includes software for efficient data structures, data analysis, linear algebra, multi-dimensional arrays, histoprogramming, Monte Carlo simulation, and parallel and concurrent programming. Colt serves as a constantly evolving repository for some of the best concepts and designs for such software.	Colt	http://tilde-hoschek.home.cern.ch/~hoschek/colt/
Condor (1 example)	Condor is a computing environment that allows scientists and engineers to harness the capacity of large collections of distributed Unix systems (workstations and PCs running Linux or BSD) to solve processing-intensive problems. Future versions may also work with Windows.	GPL	http://www.cs.wisc.edu/condor/
COPS (1 example)	COPS = Computer Oracle and Password System. COPS analyzes Unix-like systems for weaknesses.	GPL	http://www.tripwire.org/qanda/faq.php
Crack (3 examples)	Crack is used by network admins to verify the quality of user passwords by attempting to break or "crack" those passwords.	Artistic	http://www.uazone.org/demch/analysis/sec-inchtools.html#5.2
CVS (3 examples)	CVS = Concurrent Versions System. CVS is a popular system for helping software development projects keep track of the history and any multiple versions of the source code they develop. CVS can be used in a wide range of project sizes.	GPL	http://www.cvshome.org/
CVW (3 examples)	Originally developed by MITRE and later released as FOSS. Used by over 5000 people for collaboration. Currently being phased out at NSA in favor of the commercial InfoWorkSpace product from ezenia!, as per directions by Congress and the DoD. The InfoWorkSpace product includes elements of the CVW design.	MITRE	http://cvw.sourceforge.net/
Cygwin (2 examples)	A surprisingly complete Linux-like emulation of Unix and the Unix tool set for use on Windows systems. Cygwin provides access to useful Unix tools and capabilities without requiring users to restart their systems or go to another computer.	GPL	http://www.cygwin.com/
DDD (1 example)	GNU DDD is a graphical front-end for debugging tools. It is noted for its ability to display debugging data in a convenient chart format.	GPL	http://www.gnu.org/software/ddd/
DjVuLibre (1 example)	DjVuLibre provides efficient distribution and display of images in a variety of compressed formats.	GPL	http://djvu.sourceforge.net/
EADSIM (1 example)	EADSIM = Extended Air Defense Simulation. Combat developers, materiel developers, and operational commanders use EADSIM simulations to assess the effectiveness of Theater Missile Defense (TMD) and air defense systems against a full spectrum of extended air defense threats. It is provided without charge under a restricted community (versus FOSS) license.	Community (EADSIM)	http://www.eadsim.com/EADSIMBrochure.html
Emacs (6 examples)	A full-functioned and popular editing tool that is especially useful for creating software. There are multiple "families" of Emacs, such as GNU Emacs and X-Emacs, for use in different environments. Emacs also supports language-specific extensions that are widely used for development in languages such as Java and C.	GPL	http://www.gnu.org/software/emacs/emacs.html
eTrust (1 example)	eTrust is a closed source network security evaluation and monitoring tool with FOSS (OpenSSL toolkit) origins.	Closed from open (eTrust)	http://www3.ca.com/Solutions/Solution.asp?ID=271
Expect (1 example)	Expect is a system admin and user tool for automating and testing interactive Unix applications such as telnet, ftp, passwd, fsck, and rlogin. It can be used to greatly simplify and automate tasks that would be prohibitively time consuming and costly if done interactively by people.	Public Domain (Expect)	http://expect.nist.gov/
FreeBSD (3 examples)	The Unix-like operating BSD operating systems are FOSS competitors to Linux, and are notable for having generally higher levels of reliability and security. OpenBSD, NetBSD, and FreeBSD are best known. FreeBSD is notable for being highly efficient when used on PC (Pentium) computers.	BSD	http://www.freebsd.org/ http://www.daemonnews.org/199904/editorial.html http://www.openbsd.org/ http://www.netbsd.org/
GateD (1 example)	GateD provides network routing services, a routing database, and support for a variety of routing protocols.	Closed from open (GateD)	http://www.nexthop.com/products/gated.shtml (current closed version) http://www.merit.edu/internet/net-research/idrp/mitre/doc/gated_doc/main.html (earlier FOSS version)
gawk (awk) (2 examples)	gawk = GNU awk (Aho, Weinberger, Kernighan - the authors of awk). Gawk is the GNU version of the awk file transformation language. Awk is an interpreted C-like language with strong pattern matching and capabilities, making it useful for writing quick programs to make minor transformations on files. For larger or more frequently used file transformations, Perl is usually a better choice than gawk, since the more recent Perl provides similar capabilities plus a number of advanced features.	GPL	http://www.gnu.org/software/gawk/gawk.html
GCC (9 examples)	GCC = GNU Compiler Collection (formerly GNU C Compiler). GCC is a suite of compilers that includes C, C++, Objective C, Chill, Fortran, Java, and (in the next release) GNAT Ada. The original GNU C compiler dominates the C software development market.	GPL	http://gcc.gnu.org/
GDB (1 example)	GDB = GNU Project Debugger. GDB, the GNU Project debugger, allows you to see what is going on inside another program while it executes, or what another program was doing at the moment it crashed. GDB can be used to start your program with any options you want, stop your program when specified conditions occur, examine the state of your program after stopping it, and change your program temporarily to examine the effects of possible fixes.	GPL	http://sources.redhat.com/gdb/
Ghostscript (2 examples)	Ghostscript, along with its associated graphical interface tools Ghostview and GSview, provides viewing of postscript and PDF documents.	AFPL	http://www.cs.wisc.edu/~ghost/
GNAT (9 examples)	GNAT is a FOSS implementation of Ada 95. Commercial versions of GNAT (GNAT Pro Ada 95) and support are provided by Ada Core Technologies, and fully FOSS (GPL) versions are also available. A GNAT Ada front-end will also be added to GCC in GCC 3.1.	GPL	http://www.gnat.com/ ftp://cs.nyu.edu/pub/gnat/ http://gcc.gnu.org/
GnuPG (1 example)	GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. GnuPG is a complete and free replacement for PGP. It can be used to encrypt data and to create digital signatures, and it includes an advanced key management facility. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application, providing compatibility with PGP from NAI Inc.	GPL	http://www.gnupg.org/
gnuplot (3 examples)	gnuplot is a command-driven interactive function plotting program that can be used to plot functions and data points in two or three dimensions and many different formats. It is free, but not GPL, despite its name.	Gnuplot	http://www.gnuplot.info/
grep (1 example)	GNU grep can be used to search text files or text streams for lines that match simple or complex patterns.	GPL	http://www.gnu.org/software/grep/grep.html
h2n (1 example)	h2n converts a table of host computers into a form usable as Internet (DNS) names.	GPL	http://www.crihan.fr/system/linux/maint/bind/old/h2n-man.html
HOSTS (1 example)	HOSTS = Host-Oriented Security Test Suite. Provides greater consistency and repeatability in security testing of Unix and Unix-like operating systems by automating many aspects of the testing process.	GPL	http://www.openchannelfoundation.org/projects/HOSTS
ImageMagick (1 example)	ImageMagick provides display and conversion of images in about 70 major formats.	ImageMagick	http://www.imagemagick.org/
JADE (1 example)	JADE = Java Agent DEvelopment framework. JADE provides Java middleware for creating "multi-agent" software that on multiple networked machines. JADE implements FIPA agent communication standards.	LGPL	http://sharon.cselt.it/projects/jade/
Jakarta (1 example)	Jakarta is a web site that provides FOSS Java solutions for a wide range of applications and problems.	Apache	http://jakarta.apache.org/
Jaxen (1 example)	Jaxen = Java XPath Engine. Jaxen is a Java and XML development tool that interprets XPath expressions for multiple XML models, including DOM, dom4j, EXML, and JDOM.	Apache	http://jaxen.org/
JBoss (1 example)	JBoss is a J2EE-compliant web application server that provides middleware capabilities (EJB and JMS), database connectivity (JDBC), transactions (JTA/JTS), presentation (servlets and Java Server Pages), and directory services (JNDI). In March 2002, Sun Microsystems expressed stronger support for getting the popular JBoss package Java certified.	LGPL	http://jboss.org/
JDOM (1 example)	JDOM provides a fast, easy-to-read way to represent XML documents in Java. (JDOM is a name, not an acronym.)	GPL	http://www.jdom.org/
Jikes (1 example)	Jikes is a FOSS compiler for Java.	IPL	http://oss.software.ibm.com/developerworks/opensource/jikes/
jSIP (1 example)	jSIP = Java Session Initiation Protocol. The jSIP library provides text-based collaboration by users, including Instant Messaging.	GPL	http://jsip.sourceforge.net/
Kaffe (1 example)	Kaffe is a FOSS implementation of the Java Virtual Machine (JVM), which is the software that interprets Java software. (Sun JVMs are free but not FOSS.)	GPL	http://www.kaffe.org/
LaTeX (2 examples)	LaTeX (pronounced "lay-tek") is a high-quality typesetting system, with features designed for the production of technical and scientific documentation. It is the de facto standard for writing and publishing scientific documents.	LaTeX	http://www.latex-project.org/
Linux (19 examples)	Linux is a popular Unix-like FOSS operating system. It contains hundreds of individual tools, and has more commercial and applications support than any other FOSS operating system.	GPL	http://www.linux.org/
Linux (Red Hat) (3 examples)	Red Hat is the most popular commercial source for the Linux operating system.	GPL	http://www.redhat.com/
Linux firewalls (1 example)	Linux provides a variety of tools for creating firewalls.	GPL	http://www.linuxjournal.com/article.php?sid=1212 http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
Lsof (1 example)	Lsof = List Open Files. Lsof lists any currently open files or process communications.	Lsof	http://freshmeat.net/projects/lsof/
m4 (1 example)	GNU m4 is a "macro expander" that can be used to create large sets of source code (such as web pages) with a shared format or visual look and feel.	GPL	http://www.gnu.org/software/m4/
Majordomo (1 example)	Majordomo automates management of Internet mailing lists. Once a list is set up, nearly all operations can be performed remotely by email. A graphical user interface called MajorCool is also available.	GPL	http://www.greatcircle.com/majordomo/
make (2 examples)	The GNU make utility automatically determines which pieces of a large program need to be recompiled, and issues the commands to recompile them.	GPL	http://www.gnu.org/manual/make-3.79.1/html_node/make_toc.html
Maxima (1 example)	Maxima is a Common Lisp implementation of MIT's Macsyma system for computer based algebra.	GPL	http://www.ma.utexas.edu/users/wfs/maxima.html
MIMEsweeper (1 example)	MIMEsweeper is a closed source product with FOSS origins. It looks for suspicious patterns in the actual content of emails and communications to help identify suspicious activities.	Closed from open (MIMEsweeper)	http://www.mimesweeper.com/default.asp
MRTG (3 examples)	MRTG = Multi Router Traffic Grapher. MRTG provides monitoring of traffic load on network links, and shows the live status graphically using HTML images that can be viewed over the Internet.	GPL	http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg.html
MTR (1 example)	MTR determines whether a network computer is available, and the overall quality of the link to it.	GPL	http://www.bitwizard.nl/mtr/
MySQL (4 example)	MySQL is the world's most popular FOSS database. It is fast, full-functioned, and precise enough to be used in both heavy load and mission critical applications.	GPL	http://www.mysql.com/
Nessus (3 examples)	An easy-to-use, full-functioned, and up-to-date remote security scanner.	GPL	http://www.nessus.org/
NetBSD (1 example)	The Unix-like operating BSD operating systems are FOSS competitors to Linux, and are notable for having generally higher levels of reliability and security. OpenBSD, NetBSD, and FreeBSD are best known. NetBSD is notable for being highly portable across a wide range of computer platforms.	BSD	http://www.netbsd.org/ http://www.daemonnews.org/199904/editorial.html http://www.openbsd.org/ http://www.freebsd.org/
NetSaint (1 example)	NetSaint monitors network Linux hosts services and can alert administrators of problems via email when a problem arises.	GPL	http://www.netsaint.org/
nload (1 example)	nload monitors and graphically displays real-time network traffic and usage.	GPL	http://www.roland-riegel.de/nload/index_en.html
Nmap (2 examples)	Nmap scans networks and maps out their configurations.	GPL	http://www.insecure.org/nmap/
ntop (2 examples)	ntop is a Unix tool that shows the heaviest users of network resources in ranked order, making it easy to see hot spots or anomalous usage.	GPL	http://www.ntop.org/ntop.html
NTP (1 example)	NTP = Network Time Protocol. NTP software provides the ability to synchronize in network computer clocks precisely.	GPL	http://www.eecis.udel.edu/~ntp/ http://www.eecis.udel.edu/~mills/ntp.htm http://www.eecis.udel.edu/~ntp/ntp_spool/html/ntpd.htm
Octave (1 example)	GNU Octave is a high-level language, primarily intended for numerical computations. It provides a convenient command line interface for solving linear and nonlinear problems numerically, and for performing other numerical experiments using a language that is mostly compatible with MATLAB. It may also be used as a batch-oriented language.	GPL	http://www.octave.org/
OpenBSD (1 example)	The Unix-like operating BSD operating systems are FOSS competitors to Linux, and are notable for having generally higher levels of reliability and security. OpenBSD, NetBSD, and FreeBSD are best known. OpenBSD is notable for its high security, support for encryption, and an exceptionally rigorous self-auditing process. OpenBSD has been particularly successful at avoiding the kinds of default security holes commonly encountered when installing most operating systems.	BSD	http://www.openbsd.org/ http://www.daemonnews.org/199904/editorial.html http://www.freebsd.org/ http://www.netbsd.org/
OpenMap (2 examples)	OpenMap is JavaBeans-based programmer's toolkit that allows Java application to access map data from older databases and formats.	OpenMAP	http://openmap.bbn.com/
OpenOffice (1 example)	OpenOffice is a suite of business office support programs comparable to Microsoft Office, but based on the open and easily exchanged XML format. OpenOffice began as a free but closed-source system called StarOffice, which was bought by Sun Microsystems, who eventually made it fully FOSS. As of early 2002, OpenOffice was still undergoing the transition from closed to FOSS.	GPL	http://www.openoffice.org/
OpenSSH (1 example)	OpenSSH = Open Secured Shell. OpenSSH provides secure (encrypted) access to remote network computers.	BSD	http://www.openssh.com/
OpenSSL (1 example)	OpenSSL is a FOSS implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols for secure communications over the Internet. It includes a full-strength, general-purpose library of cryptography software.	OpenSSL	http://www.openssl.org/
Perl (25 examples)	Perl = Practical Extraction and Reporting Language. A popular, functionally rich Internet language that is used in a wide range of applications that include extracting data from text, reformatting documents, and integrating software components.	GPL	http://www.perl.org/
Perl CGI scripts (1 example)	Perl scripts provide numerous functions to support web sites, including various types of search.	GPL	http://www.scriptsearch.com/Perl/Scripts_and_Programs/ http://awsd.com/scripts/
PerLDAP (2 examples)	The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing online directory services. PerLDAP is a Perl implementation of it.	GPL	http://www.perldap.org/
PHP (4 examples)	PHP = PHP Hypertext Preprocessor. PHP allows web pages to interact with users (e.g., to accept and display form data).	PHP	http://www.php.net/
PingScan (1 example)	PingScan scans networks to find all accessible systems.	GPL	http://www.linux.org/apps/AppId_1996.html
Procmail (1 example)	Procmail supports lists and automated pre-processing of email, such as sorting, selecting, and re-routing emails based on various criteria and conditions.	GPL	http://www.procmail.org/
Qmail (1 example)	Qmail is a FOSS replacement for Sendmail, the program that transfers emails between computers on the Internet. Qmail has improved security, reliability, and performance features.	Qmail	http://qmail.goof.com/top.html
R (1 example)	R is a language and environment for statistical computing and graphics. It provides a wide variety of statistical and graphical techniques such as linear and nonlinear modeling, statistical tests, time series analysis, classification, and clustering. It is also known as GNU S, a reference both to its use of the GPL and its similarity to the S statistical language.	GPL	http://www.r-project.org/
RealSecure (1 example)	RealSecure is a closed source intrusion detection product with FOSS origins.	Closed from open (RealSecure)	http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php
RRDtool (2 examples)	RRDtool = Round Robin Database tool. RRDtool provides efficient collection of network usage data over extended periods of time.	GPL	http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
RTLinux (1 example)	RTLinux allows Linux and BSD operating systems to respond reliably to time-critical applications such as embedded device control, instrumentation, and certain types of communications.	RTLinux	http://www.fsmlabs.com/community/
RWhois (1 example)	RWhois provides improved administrative identification of users on a network.	GPL	http://www.rwhois.net/
RXVT (1 example)	A smaller, more compact way to interact via command lines with programs.	GPL	http://www.rxvt.org/ http://www.math.fu-berlin.de/~guckes/rxvt/#intro
Samba (3 examples)	Samba is a popular tool that allows Linux and BSD (OpenBSD, NetBSD, and FreeBSD) operating systems to provide invisibly the same file and printer services as Windows servers. Since the Linux and BSD operating systems were generally more stable than early Windows NT servers, administrators often invisibly converted Windows servers to Linux-plus-Samba to improve network reliability.	GPL	http://us1.samba.org/samba/samba.html
SARA (1 example)	SARA = Security Auditor's Research Assistant. SARA is a third generation Unix security analysis tool that is based on the SATAN model.	SATAN	http://www-arc.com/sara/
SATAN (2 examples)	SATAN = Security Administrator Tool for Analyzing Networks. It is a first generation Unix security analysis tool that collects data on networked hosts.	SATAN	http://www.uazone.org/demch/analysis/sec-inchtools.html#5.1
Saxon (1 example)	SAXON provides tools for processing XML. (XML is the successor to the HTML used in most Internet web pages.) It includes an XML standards-compliant XSLT processor, plus and a number of useful extensions, such as a Java library that provides XSL-like processing.	MPL	http://saxon.sourceforge.net/
SCA (1 example)	SCA = Software Communications Architecture. This web site provides standards for writing code for software-defined radio applications. This is an early effort to promote sharing by providing an overall standards framework through which contributed software can work and interoperate.	Community (SCA)	http://www.jtrs.saalt.army.mil/docs/documents/sca.html
sed (2 examples)	sed = Stream Editor. GNU sed can be used to extract or transform text in very large files, or in incoming or outgoing streams of text data of indefinite length. Perl and awk (gawk) both provide more functionality, but for simple filtering and conversions, sed is both fast and easy to use.	GPL	http://www.gnu.org/software/sed/sed.html http://www.dreamwvr.com/sed-info/sed-faq.html
SELinux (2 examples)	SELinux = Security Enhanced Linux, a set of Linux enhancements developed specifically by NSA to make Linux usable in a broader range of government and industry applications. (Note: In contrast, NSA Signal Intelligence prohibits use of Linux.)	GPL	http://www.nsa.gov/selinux/
Sendmail (1 example)	Sendmail takes care of the actual transfer of email messages between Internet computers. Sendmail is the most widely used such program on the Internet. Qmail provides a more security-focused FOSS alternative.	Sendmail	http://www.sendmail.org/
SNARE (1 example)	SNARE = System iNtrusion Analysis and Reporting Environment). An auditing and intrusion detection module that can be attached directly to the Linux kernel.	GPL	http://www.intersectalliance.com/projects/Snare/
Snort (3 examples)	Snort is a multi-platform, lightweight, rule-based tool for detecting hostile intrusions into a network. It works well on small networks, and can be deployed quickly to help fill in network security holes when new attacks emerge.	GPL	http://www.snort.org/ http://www.snort.org/docs/lisapaper.txt
Squid (1 example)	Squid improves web performance for Unix and Unix-like systems by invisibly providing local copies (caching) of frequently used files and information from remote parts of the web. It supports full-featured proxying (that is, invisible replacement of requests for files from remote sites with copies of the same information previously stored locally) and caching for most of the major web protocols and formats, including HTTP, FTP, and web site names (URLs), and also proxying for SSL.	GPL	http://www.squid-cache.org/
Tcl/Tk (1 example)	Tcl is a scripting language for controlling computer devices, and Tk is a library for creating graphical interfaces to those parts.	BSD	http://www.tcl.tk/
TCP Wrappers (2 examples)	Provides monitoring and filtering of incoming requests for network services, including sysstat, finger, ftp, telnet, rlogin, rsh, exec, tftp, and talk.	TCP Wrappers	ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.BLURB ftp://ftp.porcupine.org/pub/security/index.html
Tomcat (1 example)	Tomcat is a FOSS implementation of the official "servlet container" for Java Servlets and JavaServer Pages.	Apache	http://jakarta.apache.org/tomcat/index.html
Top (1 example)	Top is a standard Unix (Linux and BSD) tool for determining which processes are consuming the most processing resources.	GPL	http://www.tac.eu.org/cgi-bin/man-cgi?top+1
Tripwire (2 examples)	Tripwire monitors key attributes of files that should not change and provides alerts when they do change.	GPL	http://www.tripwire.org/qanda/faq.php
VisAD (1 example)	VisAD = Visualization for Algorithm Development. VisAD is a Java library for interactive and collaborative visualization and analysis of numerical data.	LGPL	http://www.ssec.wisc.edu/~billh/visad.html
VOCAL (1 example)	VOCAL = Vovida Open Communication Application Library. VOCAL provides tools and software for building advanced Internet telephony (VoIP) applications.	Vovida	http://www.vovida.org/applications/downloads/vocal/home.html
VTK (1 example)	VTK = Visualization Toolkit. VTK provides 3D computer graphics, image processing, and visualization. It has interfaces to most of the major Internet computer languages, and is used by thousands of researchers and developers around the world.	VTK	http://public.kitware.com/VTK/
Webmin (1 example)	Webmin makes it possible to do web-based remote or local system administration of Unix and Unix-like systems. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing, and other common system admin tasks. The web server part of Webmin is written in Perl, using only standard Perl modules.	BSD	http://www.webmin.com/
WebTAS (1 example)	WebTAS = Web-enabled Timeline Analysis System. WebTAS provides tools for analyzing data and looking for suspicious patterns in the data of both large and small organizations, particularly law enforcement and security agencies. It is free under a limited access (community) license.	Community (WebTAS)	http://www.webtas.com/ http://iswsolutions.com/webtas.shtml
Weka (1 example)	Weka is a collection of machine learning algorithms for solving real-world data mining problems. It is written in Java and runs on almost any platform.	GPL	http://www.cs.waikato.ac.nz/~ml/weka/
WU-FTPD (1 example)	WU-FTPD provides the ability to transfer files easily ("FTP") between computers on the Internet. It is the most widely used program for providing FTP capabilities.	WU-FTPD	http://www.wu-ftpd.org/
Xalan (1 example)	Xalan-Java and Xalan-C++ are XSLT-based tools for converting XML documents into HTML, text, or other XML document types.	Apache	http://xml.apache.org/xalan-j/ http://www.garshol.priv.no/download/xmltools/prod/Xalan-C.html
Xerces (3 examples)	Xerces interprets (parses) XML, which is the successor to HTML. Xerces is available for Java, C++, and Windows.	Apache	http://xml.apache.org/
XFree86 (1 example)	XFree86 is a FOSS version of the X windowing system used in most Unix-like systems, including Linux and the BSD operating systems. It provides easy-to-use, PC-like graphical displays and controls for computer users.	Xfree86	http://www.xfree86.org/
XGobi (1 example)	XGobi is a data visualization system for viewing high-dimensional data. The most recent version is called GGobi. GGobi components include four FOSS licenses: AT&T Open Source License , GPL , BSD , and LGPL .	AT&T Open Source License	http://www.ggobi.org/ ; http://www.research.att.com/areas/stat/xgobi/
Xpatch (1 example)	Xpatch provides tools for predicting the likely radar signatures of both nearby and distant objects.	Community (Xpatch)	http://www.saic.com/products/software/xpatch/
zlib (6 examples)	A library of FOSS compression software with a license that permits use in closed source products.	zlib	http://www.gzip.org/zlib/
Zope (1 example)	Zope is a web application server used to create web-based applications such as intranets and portals.	ZPL	http://www.zope.org/

3. Use of Licenses in DoD Applications
1. List of FOSS Licenses

Table 8 lists the FOSS licenses used in the identified DoD applications, with links to the full texts of the licenses (in Appendix D) provided in the last column of the table.

Table 8 . Index and Notes for FOSS Licenses

License Name	Notes	Text
ACE/TAO Copyright	BSD-like (Douglas Schmidt)	D.1
AFPL (Aladdin Free Public License)	Unusual for its prohibition of for-profit sale of the software	D.2
Apache License	Used in the widely deployed Apache web server.	D.3
Artistic License	Used in the widely deployed Perl web language.	D.4
AT&T Open Source License		D.5
BSD License	The most common FOSS license, after GPL. Allows easy inclusion in non-BSD software, but does not ensure code rights to later software recipients	D.6
C++ Boost License Selection Spec.	BSD-like	D.7
Closed from open (eTrust)	Closed application with FOSS (OpenSSL License and toolkit) origins	D.8
Closed from open (GateD)	The original Cornell GateD Copyright made the source available, but placed restrictions on redistribution	D.9
Closed from open (MIMEsweeper)	Closed source tools with FOSS (SATAN License) origins	D.10
Closed from open (RealSecure)	RealSecure is a closed source tools with FOSS (SATAN License) origins	D.11
Colt License and Copyrights	A diverse mix of licenses including LGPL, public domain, and community	D.12
Community License (EADSIM)	Community license for U.S. Government users	D.13
Community License (WebTAS)	Community license for U.S. Government users	D.14
Community License (Xpatch)	Community license for U.S. Government users	D.15
Community Specification (CIS)	A community specification. Associated Scoring Tools that implement the specification are provided as freeware	D.16
Community Specification (SCA)	A community specification for developing proprietary software products.	D.17
Gnuplot Copyright	Forbids redistribution of full source code	D.18
GPL (General Public License)	The dominant FOSS license. GPL requires that code that directly incorporates GPL source also be licensed as GPL. This makes GPL more complicated to use (see in contrast BSD), but has the benefit of ensuring that all subsequent recipients of the original GPL software receive full software modification and redistribution rights (see in contrast BSD).	D.19
ImageMagick Copyright	BSD-like	D.20
IPL (IBM Public License)		D.21
ISC License	BSD-like	D.22
LaTeXProject Public License	One of the earliest open-source-like licenses	D.23
LGPL (Lesser General Public License)	BSD-like	D.24
Lsof Copyright	BSD-like (Victor Abell)	D.25
MITRE License	Allows selection of either GPL or MPL	D.26
MPL (Mozilla Public License)	Used to make public the formerly proprietary source of the Netscape browser	D.27
OpenMAP License	Retains BBN ownership of original source code, but allows developers to retain rights to any source code they may add	D.28
OpenSSL License	Apache-like	D.29
PHP License	Apache-like; replaces GPL of earlier PHP releases	D.30
Public Domain (Expect)	Expect is U.S. government public domain software whose original source code cannot be license or copyrighted, but can be incorporated freely under other more restrictive licenses.	D.31
Qmail License	Easy source distribution, but very tight control of changes	D.32
RTLinux Open Patent License	GPL-like and fully GPL compliant	D.33
SATAN License	BSD-like, but does not allow profits from redistributed copies	D.34
Sendmail License	GPL-like	D.35
TCP Wrappers License	BSD-like	D.36
Vovida Software License	BSD-like	D.37
VTK Copyright	BSD-like	D.38
WU-FTPD Software License	GPL-like	D.39
XFree86	BSD-like; very similar to the X/MIT License	D.40
X/MIT License	BSD-like; the basis of for the XFree86 License	D.41
zlib License	BSD-like	D.42
ZPL (Zope Public License)	GPL compatible	D.43

Applications Grouped By License

Table 9 provides a breakdown of DoD FOSS applications by the type of FOSS license used in each application. The GPL dominates, followed distantly by BSD and Apache.

Table 9 . Use of Licenses In All Applications

License	DoD Applications Using License
GPL (59) [52%]	ACID	Autoconf	Automake	bash	Bastille
	Condor	COPS	CVS	Cygwin	DDD
	DjVuLibre	Emacs	gawk (awk)	GCC	GDB
	GNAT	GnuPG	grep	h2n	HOSTS
	JDOM	jSIP	Kaffe	Linux	Linux (Red Hat)
	Linux firewalls	m4	Majordomo	make	Maxima
	MRTG	MTR	MySQL	Nessus	NetSaint
	nload	Nmap	ntop	NTP	Octave
	OpenOffice	Perl	Perl CGI scripts	PerLDAP	PingScan
	Procmail	R	RRDtool	RWhois	RXVT
	Samba	sed	SELinux	SNARE	Snort
	Squid	Top	Tripwire	Weka
BSD (7) [6%]	AMANDA	FreeBSD	NetBSD	OpenBSD
	OpenSSH	Tcl/Tk	Webmin
Apache (6) [5%]	Apache	Jakarta	Jaxen
	Tomcat	Xalan	Xerces
Community: CIS , EADSIM , SCA , WebTAS , Xpatch (5) [4%]	CIS Benchmarks	EADSIM	SCA
	WebTAS	Xpatch
Closed from open: eTrust , GateD , MIMEsweeper , RealSecure (4) [3%]	eTrust	GateD
	MIMEsweeper	RealSecure
LGPL (3) [3%]	JADE	JBoss
	VisAD
ACE/TAO (2) [2%]	ACE	ACE ORB (TAO)
SATAN (2) [2%]	SARA	SATAN
AFPL (1) [1%]	Ghostscript
Artistic (1) [1%]	Crack
AT&T Open Source (1) [1%]	XGobi
C++ Boost (1) [1%]	C++ Boost
Colt (1) [1%]	Colt
Gnuplot (1) [1%]	gnuplot
ImageMagick (1) [1%]	ImageMagick
IPL (1) [1%]	Jikes
ISC (1) [1%]	BIND
LaTeX (1) [1%]	LaTeX
Lsof (1) [1%]	Lsof
MITRE (1) [1%]	CVW
MPL (1) [1%]	Saxon
OpenMAP (1) [1%]	OpenMap
PHP (1) [1%]	PHP
OpenSSL (1) [1%]	OpenSSL
Public Domain (Expect) (1) [1%]	Expect
Qmail (1) [1%]	Qmail
RTLinux (1) [1%]	RTLinux
Sendmail (1) [1%]	Sendmail
TCP Wrappers (1) [1%]	TCP Wrappers
Vovida (1) [1%]	VOCAL
VTK (1) [1%]	VTK
WU-FTPD (1) [1%]	WU-FTPD
XFree86 (1) [1%]	XFree86
zlib (1) [1%]	zlib
ZPL (1) [1%]	Zope
(Total of 115 applications)

3. Breakdown of Licenses By Application Use

The tables in this section show the relative levels of use of the various types of FOSS licenses within the four major application areas of Infrastructure Support, Software Development, Security, and Research.

1. Use of Licenses in Infrastructure Support

Table 10 provides a breakout of how the licenses are used for Infrastructure Support.

Table 10 . Use of Licenses In Infrastructure Support Applications

License	DoD Infrastructure Support Applications Using License
GPL (32) [49%]	Condor	Cygwin	Emacs	gawk (awk)	GnuPG
	grep	h2n	JDOM	Linux (Red Hat)	Linux firewalls
	Majordomo	MRTG	MTR	MySQL	NetSaint
	nload	Nmap	ntop	NTP	OpenOffice
	Perl	Perl CGI scripts	PerLDAP	PingScan	Procmail
	RRDtool	RWhois	Samba	sed	SELinux
	Squid	Top
Apache (5) [8%]	Apache	Jaxen	Tomcat
	Xalan	Xerces
BSD (4) [6%]	AMANDA	FreeBSD
	OpenSSH	Webmin
ACE/TAO (2) [3%]	ACE	ACE ORB (TAO)
Community: EADSIM , SCA (2) [3%]	EADSIM	SCA
SATAN (2) [3%]	SARA	SATAN
AFPL (1) [1.5%]	Ghostscript
Closed from open: GateD (1) [1.5%]	GateD
ImageMagick (1) [1.5%]	ImageMagick
ISC (1) [1.5%]	BIND
LaTeX (1) [1.5%]	LaTeX
LGPL (1) [1.5%]	JBoss
Lsof (1) [1.5%]	Lsof
MITRE (1) [1.5%]	CVW
OpenMAP (1) [1.5%]	OpenMap
OpenSSL (1) [1.5%]	OpenSSL
PHP (1) [1.5%]	PHP
Qmail (1) [1.5%]	Qmail
RTLinux (1) [1.5%]	RTLinux
Sendmail (1) [1.5%]	Sendmail
WU-FTPD (1) [1.5%]	WU-FTPD
XFree86 (1) [1.5%]	XFree86
zlib (1) [1.5%]	zlib
ZPL (1) [1.5%]	Zope
(Total of 65 applications)

2. Use of Licenses in Software Development

Table 11 provides the same breakout for Software Development.

Table 11 . Use of Licenses In Software Development Applications

License	DoD Software Development Applications Using License
GPL (22) [42%]	Autoconf	Automake	bash	CVS	Cygwin
	DDD	DjVuLibre	Emacs	GCC	GDB
	GNAT	GnuPG	h2n	JDOM	jSIP
	Kaffe	Linux	m4	make	MySQL
	Perl	RXVT
Apache (5) [10%]	Jakarta	Jaxen	Tomcat
	Xalan	Xerces
BSD (4) [8%]	FreeBSD	NetBSD
	OpenSSH	Tcl/Tk
ACE/TAO (2) [4%]	ACE	ACE ORB (TAO)
LGPL (2) [4%]	JADE	JBoss
C++ Boost (1) [2%]	C++ Boost
Closed from open: GateD (1) [2%]	GateD
Community: SCA (1) [2%]	SCA
ImageMagick (1) [2%]	ImageMagick
IPL (1) [2%]	Jikes
LaTeX (1) [2%]	LaTeX
MPL (1) [2%]	Saxon
OpenMAP (1) [2%]	OpenMap
PHP (1) [2%]	PHP
Public Domain (Expect) (1) [2%]	Expect
RTLinux (1) [2%]	RTLinux
Vovida (1) [2%]	VOCAL
VTK (1) [2%]	VTK
WU-FTPD (1) [2%]	WU-FTPD
XFree86 (1) [2%]	XFree86
zlib (1) [2%]	zlib
ZPL (1) [2%]	Zope
(Total of 52 applications)

3. Use of Licenses in Security

Table 12 provides the breakout for Security.

Table 12 . Use of Licenses In Security Applications

License	DoD Security Applications Using License
GPL (26) [59%]	ACID	Bastille	COPS	GCC	GnuPG
	HOSTS	Linux	Linux (Red Hat)	Linux firewalls	MRTG
	MTR	MySQL	Nessus	NetSaint	nload
	Nmap	ntop	Perl	Perl CGI scripts	PerLDAP
	RRDtool	SELinux	SNARE	Snort	Squid
	Tripwire
BSD (5) [11%]	FreeBSD	OpenBSD	OpenSSH
	Tcl/Tk	Webmin
Closed from open: eTrust , MIMEsweeper , RealSecure (3) [7%]	eTrust	MIMEsweeper
	RealSecure
SATAN (2) [4.5%]	SARA	SATAN
Artistic (1) [2%]	Crack
Community: CIS (1) [2%]	CIS Benchmarks
Lsof (1) [2%]	Lsof
OpenSSL (1) [2%]	OpenSSL
PHP (1) [2%]	PHP
Public Domain (Expect) (1) [2%]	Expect
Qmail (1) [2%]	Qmail
TCP Wrappers (1) [2%]	TCP Wrappers
(Total of 44 applications)

4. Use of Licenses in Research

Finally, Table 13 provides the license breakout for Research.

Table 13 . Use of Licenses In Research Applications

License	DoD Research Applications Using License
GPL (7) [33%]	Condor	jSIP	Linux	Maxima
	Octave	R	Weka
Community: EADSIM , SCA , Xpatch (3) [14%]	EADSIM	SCA
	Xpatch
LGPL (2) [10%]	JADE	VisAD
ACE/TAO (1) [5%]	ACE ORB (TAO)
AT&T Open Source (1) [5%]	XGobi
Closed from open: GateD (1) [5%]	GateD
Colt (1) [5%]	Colt
Gnuplot (1) [5%]	gnuplot
IPL (1) [5%]	Jikes
MITRE (1) [5%]	CVW
Vovida (1) [5%]	VOCAL
VTK (1) [5%]	VTK
(Total of 21 applications)

4. FOSS Licenses

This appendix provides the complete text of the licenses used in the DoD FOSS applications that were identified by the survey. The online Internet source of each license is also given.

1. ACE-TAO License

Source: http://www.cs.wustl.edu/~schmidt/ACE-copying.html

Note: The license shown below is for reference purposes and does not apply to this document.

Copyright and Licensing Information for ACE(TM) and TAO(TM)

ACE ^(TM) and TAO ^(TM) are copyrighted by Douglas C. Schmidt and his research group at Washington University and University of California, Irvine , Copyright (c) 1993-2002, all rights reserved. Since ACE+TAO are open-source, free software, you are free to use, modify, copy, and distribute--perpetually and irrevocably--the ACE+TAO source code and object code produced from the source, as well as copy and distribute modified versions of this software. You must, however, include this copyright statement along with code built using ACE+TAO.

You can use ACE+TAO in proprietary software and are under no obligation to redistribute any of your source code that is built using ACE+TAO. Note, however, that you may not do anything to the ACE+TAO code, such as copyrighting it yourself or claiming authorship of the ACE+TAO code, that will prevent ACE+TAO from being distributed freely using an open-source development model. You needn’t inform anyone that you’re using ACE+TAO in your software, though we encourage you to let us know so we can promote your project in the ACE+TAO success stories.

ACE+TAO are provided as is with no warranties of any kind, including the warranties of design, merchantability, and fitness for a particular purpose, noninfringement, or arising from a course of dealing, usage or trade practice. Moreover, ACE+TAO are provided with no support and without any obligation on the part of Washington University, UC Irvine, their employees, or students to assist in its use, correction, modification, or enhancement. However, commercial support for ACE is available from Riverace and commercial support for TAO is available from OCI and PrismTech . Both ACE and TAO are Y2K-compliant, as long as the underlying OS platform is Y2K-compliant.

Washington University, UC Irvine, their employees, and students shall have no liability with respect to the infringement of copyrights, trade secrets or any patents by ACE+TAO or any part thereof. Moreover, in no event will Washington University or UC Irvine, their employees, or students be liable for any lost revenue or profits or other special, indirect and consequential damages.

The ACE and TAO web sites are maintained by the Center for Distributed Object Computing of Washington University for the development of open-source software as part of the open-source software community . By submitting comments, suggestions, code, code snippets, techniques (including that of usage), and algorithms, submitters acknowledge that they have the right to do so, that any such submissions are given freely and unreservedly, and that they waive any claims to copyright or ownership. In addition, submitters acknowledge that any such submission might become part of the copyright maintained on the overall body of code, which comprises the ACE and TAO software. By making a submission, submitter agree to these terms. Furthermore, submitters acknowledge that the incorporation or modification of such submissions is entirely at the discretion of the moderators of the open-source ACE+TAO projects or their designees.

The names ACE^(TM), TAO^(TM), Washington University, and UC Irvine, may not be used to endorse or promote products or services derived from this source without express written permission from Washington University or UC Irvine. Further, products or services derived from this source may not be called ACE^(TM) or TAO^(TM), nor may the name Washington University or UC Irvine appear in their names, without express written permission from Washington University or UC Irvine.

If you have any suggestions, additions, comments, or questions, please let me know.

Douglas C. Schmidt

2. AFPL

Source: http://www.cs.wisc.edu/~ghost/doc/AFPL/7.04/Public.htm

Note: The license shown below is for reference purposes and does not apply to this document.

Aladdin Free Public License (Version 9, September 18, 2000)

Copyright (C) 1994, 1995, 1997, 1998, 1999, 2000 Aladdin Enterprises, Menlo Park, California, U.S.A. All rights reserved.

NOTE: This License is not the same as any of the GNU Licenses published by the Free Software Foundation . Its terms are substantially different from those of the GNU Licenses. If you are familiar with the GNU Licenses, please read this license with extra care.

Aladdin Enterprises hereby grants to anyone the permission to apply this License to their own work, as long as the entire License (including the above notices and this paragraph) is copied with no changes, additions, or deletions except for changing the first paragraph of Section 0 to include a suitable description of the work to which the license is being applied and of the person or entity that holds the copyright in the work, and, if the License is being applied to a work created in a country other than the United States, replacing the first paragraph of Section 6 with an appropriate reference to the laws of the appropriate country.

This License is not an Open Source license: among other things, it places restrictions on distribution of the Program, specifically including sale of the Program. While Aladdin Enterprises respects and supports the philosophy of the Open Source Definition, and shares the desire of the GNU project to keep licensed software freely redistributable in both source and object form, we feel that Open Source licenses unfairly prevent developers of useful software from being compensated proportionately when others profit financially from their work. This License attempts to ensure that those who receive, redistribute, and contribute to the licensed Program according to the Open Source and Free Software philosophies have the right to do so, while retaining for the developer(s) of the Program the power to make those who use the Program to enhance the value of commercial products pay for the privilege of doing so.

0. Subject Matter

This License applies to the computer program known as "AFPL Ghostscript." The "Program", below, refers to such program. The Program is a copyrighted work whose copyright is held by artofcode LLC, located in Benicia, California (the "Licensor"). Please note that AFPL Ghostscript is neither the program known as "GNU Ghostscript" nor the version of Ghostscript available for commercial licensing from Artifex Software Inc.

A "work based on the Program" means either the Program or any derivative work of the Program, as defined in the United States Copyright Act of 1976, such as a translation or a modification.

BY MODIFYING OR DISTRIBUTING THE PROGRAM (OR ANY WORK BASED ON THE PROGRAM), YOU INDICATE YOUR ACCEPTANCE OF THIS LICENSE TO DO SO, AND ALL ITS TERMS AND CONDITIONS FOR COPYING, DISTRIBUTING OR MODIFYING THE PROGRAM OR WORKS BASED ON IT. NOTHING OTHER THAN THIS LICENSE GRANTS YOU PERMISSION TO MODIFY OR DISTRIBUTE THE PROGRAM OR ITS DERIVATIVE WORKS. THESE ACTIONS ARE PROHIBITED BY LAW. IF YOU DO NOT ACCEPT THESE TERMS AND CONDITIONS, DO NOT MODIFY OR DISTRIBUTE THE PROGRAM.

1. Licenses.

Licensor hereby grants you the following rights, provided that you comply with all of the restrictions set forth in this License and provided, further, that you distribute an unmodified copy of this License with the Program:

(a) You may copy and distribute literal (i.e., verbatim) copies of the Program’s source code as you receive it throughout the world, in any medium.

(b) You may modify the Program, create works based on the Program and distribute copies of such throughout the world, in any medium.

2. Restrictions.

This license is subject to the following restrictions:

(a) Distribution of the Program or any work based on the Program by a commercial organization to any third party is prohibited if any payment is made in connection with such distribution, whether directly (as in payment for a copy of the Program) or indirectly (as in payment for some service related to the Program, or payment for some product or service that includes a copy of the Program "without charge"; these are only examples, and not an exhaustive enumeration of prohibited activities). The following methods of distribution involving payment shall not in and of themselves be a violation of this restriction:

(i) Posting the Program on a public access information storage and retrieval service for which a fee is received for retrieving information (such as an on-line service), provided that the fee is not content-dependent (i.e., the fee would be the same for retrieving the same volume of information consisting of random data) and that access to the service and to the Program is available independent of any other product or service. An example of a service that does not fall under this section is an on-line service that is operated by a company and that is only available to customers of that company. (This is not an exhaustive enumeration.)

(ii) Distributing the Program on removable computer-readable media, provided that the files containing the Program are reproduced entirely and verbatim on such media, that all information on such media be redistributable for non-commercial purposes without charge, and that such media are distributed by themselves (except for accompanying documentation) independent of any other product or service. Examples of such media include CD-ROM, magnetic tape, and optical storage media. (This is not intended to be an exhaustive list.) An example of a distribution that does not fall under this section is a CD-ROM included in a book or magazine. (This is not an exhaustive enumeration.)

(b) Activities other than copying, distribution and modification of the Program are not subject to this License and they are outside its scope. Functional use (running) of the Program is not restricted, and any output produced through the use of the Program is subject to this license only if its contents constitute a work based on the Program (independent of having been made by running the Program).

(c) You must meet all of the following conditions with respect to any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof ("the Work"):

(i) If you have modified the Program, you must cause the Work to carry prominent notices stating that you have modified the Program’s files and the date of any change. In each source file that you have modified, you must include a prominent notice that you have modified the file, including your name, your e-mail address (if any), and the date and purpose of the change;

(ii) You must cause the Work to be licensed as a whole and at no charge to all third parties under the terms of this License;

(iii) If the Work normally reads commands interactively when run, you must cause it, at each time the Work commences operation, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty). Such notice must also state that users may redistribute the Work only under the conditions of this License and tell the user how to view the copy of this License included with the Work. (Exceptions: if the Program is interactive but normally prints or displays such an announcement only at the request of a user, such as in an "About box", the Work is required to print or display the notice only under the same circumstances; if the Program itself is interactive but does not normally print such an announcement, the Work is not required to print an announcement.);

(iv) You must accompany the Work with the complete corresponding machine-readable source code, delivered on a medium customarily used for software interchange. The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable code. If you distribute with the Work any component that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, you must also distribute the source code of that component if you have it and are allowed to do so;

(v) If you distribute any written or printed material at all with the Work, such material must include either a written copy of this License, or a prominent written indication that the Work is covered by this License and written instructions for printing and/or displaying the copy of the License on the distribution medium;

(vi) You may not impose any further restrictions on the recipient’s exercise of the rights granted herein.

If distribution of executable or object code is made by offering the equivalent ability to copy from a designated place, then offering equivalent ability to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source code along with the object code.

3. Reservation of Rights.

No rights are granted to the Program except as expressly set forth herein. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

4. Other Restrictions.

If the distribution and/or use of the Program is restricted in certain countries for any reason, Licensor may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

5. Limitations.

THE PROGRAM IS PROVIDED TO YOU "AS IS," WITHOUT WARRANTY. THERE IS NO WARRANTY FOR THE PROGRAM, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL LICENSOR, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

6. General.

This License is governed by the laws of the State of California, U.S.A., excluding choice of law rules.

If any part of this License is found to be in conflict with the law, that part shall be interpreted in its broadest meaning consistent with the law, and no other parts of the License shall be affected.

For United States Government users, the Program is provided with RESTRICTED RIGHTS. If you are a unit or agency of the United States Government or are acquiring the Program for any such unit or agency, the following apply:

If the unit or agency is the Department of Defense ("DOD"), the Program and its documentation are classified as "commercial computer software" and "commercial computer software documentation" respectively and, pursuant to DFAR Section 227.7202, the Government is acquiring the Program and its documentation in accordance with the terms of this License. If the unit or agency is other than DOD, the Program and its documentation are classified as "commercial computer software" and "commercial computer software documentation" respectively and, pursuant to FAR Section 12.212, the Government is acquiring the Program and its documentation in accordance with the terms of this License.

3. Apache License

Source: http://www.apache.org/LICENSE.txt

Note: The license shown below is for reference purposes and does not apply to this document.

The Apache Software License, Version 1.1

Copyright (c) 2000 The Apache Software Foundation. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/ )." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.

4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact apache@apache.org .

5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

4. Artistic License

Source: http://www.perl.com/language/misc/Artistic.html

Note: The license shown below is for reference purposes and does not apply to this document.

Preamble

The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications.

Definitions

"Package" refers to the collection of files distributed by the Copyright Holder, and derivatives of that collection of files created through textual modification.

"Standard Version" refers to such a Package if it has not been modified, or has been modified in accordance with the wishes of the Copyright Holder as specified below.

"Copyright Holder" is whoever is named in the copyright or copyrights for the package.

"You" is you, if you’re thinking about copying or distributing this Package.

"Reasonable copying fee" is whatever you can justify on the basis of media cost, duplication charges, time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but only to the computing community at large as a market that must bear the fee.)

"Freely Available" means that no fee is charged for the item itself, though there may be fees involved in handling the item. It also means that recipients of the item may redistribute it under the same conditions they received it.

1. You may make and give away verbatim copies of the source form of the Standard Version of this Package without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers.

2. You may apply bug fixes, portability fixes and other modifications derived from the Public Domain or from the Copyright Holder. A Package modified in such a way shall still be considered the Standard Version.

3. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each changed file stating how and when you changed that file, and provided that you do at least ONE of the following:

a. place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major archive site such as uunet.uu.net, or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package.

b. use the modified Package only within your corporation or organization.

c. rename any non-standard executables so the names do not conflict with standard executables, which must also be provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from the Standard Version.

d. make other distribution arrangements with the Copyright Holder.

4. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following:

a. distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version.

b. accompany the distribution with the machine-readable source of the Package with your modifications.

c. give non-standard executables non-standard names, and clearly document the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version.

d. make other distribution arrangements with the Copyright Holder.

5. You may charge a reasonable copying fee for any distribution of this Package. You may charge any fee you choose for support of this Package. You may not charge a fee for this Package itself. However, you may distribute this Package in aggregate with other (possibly commercial) programs as part of a larger (possibly commercial) software distribution provided that you do not advertise this Package as a product of your own. You may embed this Package’s interpreter within an executable of yours (by linking); this shall be construed as a mere form of aggregation, provided that the complete Standard Version of the interpreter is so embedded.

6. The scripts and library files supplied as input to or produced as output from the programs of this Package do not automatically fall under the copyright of this Package, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this Package. If such scripts or library files are aggregated with this Package via the so-called "undump" or "unexec" methods of producing a binary executable image, then distribution of such an image shall neither be construed as a distribution of this Package nor shall it fall under the restrictions of Paragraphs 3 and 4, provided that you do not represent such an executable image as a Standard Version of this Package.

7. C subroutines (or comparably compiled subroutines in other languages) supplied by you and linked into this Package in order to emulate subroutines and variables of the language defined by this Package shall not be considered part of this Package, but are the equivalent of input as in Paragraph 6, provided these subroutines do not change the language in any way that would cause it to fail the regression tests for the language.

8. Aggregation of this Package with a commercial distribution is always permitted provided that the use of this Package is embedded; that is, when no overt attempt is made to make this Package’s interfaces visible to the end user of the commercial distribution. Such use shall not be construed as a distribution of this Package.

9. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without specific prior written permission.

10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF merchantability AND FITNESS FOR A PARTICULAR PURPOSE.

The End

5. AT&T Open Source License

Source: http://www.ggobi.org/license.html

Note: The license shown below is for reference purposes and does not apply to this document.

SOURCE CODE AGREEMENT

Version 1.1

PLEASE READ THIS AGREEMENT CAREFULLY. By accessing and using the Source Code, you accept this Agreement in its entirety and agree to only use the Source Code in accordance with the following terms and conditions. If you do not wish to be bound by these terms and conditions, do not access or use the Source Code.

1. YOUR REPRESENTATIONS

1. You represent and warrant that:

a. If you are an entity, or an individual other than the person accepting this Agreement, the person accepting this Agreement on your behalf is your legally authorized representative, duly authorized to accept agreements of this type on your behalf and obligate you to comply with its provisions;

b. You have read and fully understand this Agreement in its entirety;

c. Your Build Materials are either original or do not include any Software obtained under a license that conflicts with the obligations contained in this Agreement;

d. To the best of your knowledge, your Build Materials do not infringe or misappropriate the rights of any person or entity; and,

e. You will regularly monitor the Website for any notices.

2. DEFINITIONS AND INTERPRETATION

1. For purposes of this Agreement, certain terms have been defined below and elsewhere in this Agreement to encompass meanings that may differ from, or be in addition to, the normal connotation of the defined word.

a. "Additional Code" means Software in source code form which does not contain any

i. of the Source Code, or

ii. derivative work (such term having the same meaning in this Agreement as under U.S. Copyright Law) of the Source Code.

b. "AT&T Patent Claims" means those claims of patents (i) owned by AT&T and (ii) licensable without restriction or obligation, which, absent a license, are necessarily and unavoidably infringed by the use of the functionality of the Source Code.

c. "Build Materials" means, with reference to a Derived Product, the Patch and Additional Code, if any, used in the preparation of such Derived Product, together with written instructions that describe, in reasonable detail, such preparation.

d. "Capsule" means a computer file containing the exact same contents as the computer file having the name ggobi.tgz, ggobi.tar.gz or ggobi.zip, which will be downloaded after accepting, or was opened to access, this Agreement.

e. "Derived Product" means a Software Product which is a derivative work of the Source Code.

f. "IPR" means all rights protectable under intellectual property law anywhere throughout the world, including rights protectable under patent, copyright and trade secret laws, but not trademark rights.

g. "Patch" means Software for changing all or any portion of the Source Code.

h. "Proprietary Notice" means the following statement:

"This product contains certain software code or other information ("AT&T Software") proprietary to AT&T Corp. ("AT&T"). The AT&T Software is provided to you "AS IS". YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR USE OF THE AT&T SOFTWARE. AT&T DOES NOT MAKE, AND EXPRESSLY DISCLAIMS, ANY EXPRESS OR IMPLIED WARRANTIES OF ANY KIND WHATSOEVER, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WARRANTIES OF TITLE OR NON-INFRINGEMENT OF ANY INTELLECTUAL PROPERTY RIGHTS, ANY WARRANTIES ARISING BY USAGE OF TRADE, COURSE OF DEALING OR COURSE OF PERFORMANCE, OR ANY WARRANTY THAT THE AT&T SOFTWARE IS "ERROR FREE" OR WILL MEET YOUR REQUIREMENTS.

You have the right to obtain from the person or entity who furnished this product to you support and maintenance for the AT&T Software substantially similar to the support and maintenance offered by such person or entity with respect to the rest of this product and/or any other reasonably comparable products the person or entity distributes. Unless you accept a license to use the AT&T Software, you shall not reverse compile, disassemble or otherwise reverse engineer this product to ascertain the source code for any AT&T Software.

© AT&T Corp. All rights reserved. AT&T is a registered trademark of AT&T Corp."

i. "Software" means, as the context may require, source or object code instructions for controlling the operation of a central processing unit or computer, and computer files containing data or text.

j. "Software Product" means a collection of computer files containing Software in object code form only, which, taken together, reasonably comprise a product, regardless of whether such product is intended for internal use or commercial exploitation. A single computer file can comprise a Software Product.

k. "Source Code" means the Software contained in compressed form in the Capsule.

l. "Website" means the Internet website having the URL http://www.research.att.com/areas/stat/ggobi . AT&T may change the content or URL of the Website, or remove it from the Internet altogether.

2. By way of clarification only, the terms Capsule, Proprietary Notice and Source Code when used in this Agreement shall mean the materials and information defined by such terms without any change, enhancement, amendment, alteration or modification (collectively, "change").

3. GRANT OF RIGHTS

1. Subject to third party intellectual property claims, if any, and the terms and conditions of this Agreement, AT&T grants to you under:

a. the AT&T Patent Claims and AT&T’s copyright rights in the Source Code, a non-exclusive, fully paid-up license to:

i. Reproduce and distribute the Capsule;

ii. Compile the Source Code and execute the resultant binary Software on a computer;

iii. Prepare a Derived Product solely by compiling Additional Code, if any, together with the code resulting from operating a Patch on the Source Code; and,

iv. Execute on a computer and distribute to others Derived Products,

except that, with respect to the AT&T Patent Claims, the license rights granted in clauses (iii) and (iv) above shall only extend, and be limited, to that portion of a Derived Product which is Software compiled from some portion, without change, of the Source Code; and,

b. AT&T’s copyright rights in the Source Code, a non-exclusive, fully paid-up license to prepare and distribute Patches for the Source Code.

2. Subject to the terms and conditions of this Agreement, you may create a hyperlink between an Internet website owned and controlled by you and the Website, which hyperlink describes in a fair and good faith manner where the Capsule and Source Code may be obtained, provided that, you do not frame the Website or otherwise give the false impression that AT&T is somehow associated with, or otherwise endorses or sponsors your website. Any goodwill associated with such hyperlink shall inure to the sole benefit of AT&T. Other than the creation of such hyperlink, nothing in this Agreement shall be construed as conferring upon you any right to use any reference to AT&T, its trade names, trademarks, service marks or any other indicia of origin owned by AT&T, or to indicate that your products or services are in any way sponsored, approved or endorsed by, or affiliated with, AT&T.

3. Except as expressly set forth in Section 3.1 above, no other rights or licenses under any of AT&T’s IPR are granted or, by implication, estoppel or otherwise, conferred. By way of example only, no rights or licenses under any of AT&T’s patents are granted or, by implication, estoppel or otherwise, conferred with respect to any portion of a Derived Product which is not Software compiled from some portion, without change, of the Source Code.

4. YOUR OBLIGATIONS

1. You shall only distribute the Capsule and Build Materials free of charge, without any form of compensation. However, you may charge for bona fide maintenance and support of the Software resulting from the Build Materials and, if you furnish the Capsule or Build Materials on any physical media, you may charge for your out-of-pocket expense for both the media and shipping. You may distribute Derived Products for a fair and reasonable fee.

2. If you distribute Build Materials (including if you are required to do so pursuant to this Agreement), you shall ensure that the recipient enters into and duly accepts a written agreement with you which includes the minimum terms set forth in Appendix A (completed to indicate you as the LICENSOR) and no other provisions which, in AT&T’s opinion, conflict with your obligations under, or the intent of, this Agreement. The agreement required under this Section 4.2 may be in electronic form.

3. If you prepare a Derived Product that you distribute to a third party, or if you distribute to a third party any Build Materials for a Derived Product, you shall make available to such third party support and maintenance for at least that portion of such Derived Product or Build Materials which is, or is a derivative work of, the Source Code. Such support and maintenance shall be substantially similar to the support and maintenance offered by you with respect to any other reasonably comparable products that you distribute. In no event shall you or anyone acting for you, in any way, indicate to any person or entity that AT&T will support or maintain any Software and you shall indemnify AT&T for any expenses, including legal fees, incurred by AT&T as a result of a breach of this Section 4.3.

4. If you prepare a Patch which you distribute to anyone else you shall:

a. Contact AT&T, as may be provided on the Website or in a text file included with the Source Code, and describe for AT&T such Pa