When we release a new version of OSSEC and tell our users to update to it, what do you think they do? Well, most of them upgrade to the latest version without asking too many questions. However, some users with C and development experience go out and diff the code, look at the CVS changelog, and do a careful review to see if the new version fits their needs. But (big BUT), the user must know what he or she is doing to make an informed decision.
Anyway, what it has to do with GPL? Well, I am not a lawyer and I am not a license expert. If the FSF that wrote the GPLv2 (license that ossec currently uses), tells me to update to the GPLv3, what do you think I should do? If my expertise were in licenses, I would go and review the license before deciding, but since it is not, I will probably just trust them and update.
What does that mean? Unless there is a good reason not to do so, next version of OSSEC will be under the GPLv3. We trust the work that the FSF is doing for the open source community and the process to develop the GPLv3 was very good (open participation, lots of smart contributors, etc), so the final product must be good too.
Any comments? Any license expert willing to share your thoughts?