Re: RFC: Forking Snort

["Andrew R. Baker" <andrewb () sourcefire com>]

Dear Snort users,

Jed's core assumption is incorrect, Snort development has been a team
effort for a number of years.  In addition to the handful of core
developers who write most of the code, there are a number of other
developers and users who actively participate in guiding the direction
the project is headed.  This group consists of people from numerous
companies and non-profit organizations.  For a time Jed Pickel was part
of this group of core developers, but in January of this year he opted
to leave due to lack of time to dedicate to the project.

Snort is developed as part of a team effort, the team is led by
Marty.  Running the Snort project by committee can only serve to bring
the speed at which the system is developed to a near crawl.  The time
spent wrangling over the most menial topics of Snort development would
be moved to ivory tower mailing lists thereby preventing any effective
work being done.  A committee regulated by rules and regulations will
neither improve the speed at which Snort is developed nor will it bring
a better IDS to the community.  IDS is a rapidly changing technology,
for Snort to be useful as an IDS it must be able to adapt rapidly to
the changing needs of its users.  This will not be possible under
committee style management.  If IDS were a mature technology, like web
servers and compilers currently are, then management by a committee
*might* be feasible.

Sourcefire as a company requires that Snort be the fastest, most robust,
and most complete IDS available.  This *is* what is required of Snort
for Sourcefire to be successful.  What does this mean for those who use
Snort?  Since Snort is licensed under the GPL, all of the changes
Sourcefire has to make will also be covered under the GPL.  This means
that all the end  users (and even the other companies that incorporate
Snort into appliances - without contributing anything back to the
project) will have the best IDS engine available on the market.
Provided the aforementioned facts, the assertion that the goals of
Sourcefire and the Snort community conflict is without merit.

It is correct to state that there has been a sharp reduction in the
amount of code contributed to the project.  People seem to be pretty
happy with the development direction and a lot of development is going
into the 1.9 branch awaiting a stable release.  The efforts of a few
developers over the past several years have ensured that the most
desired features are already there.  Throughout the project's history,
the amount of source code contributed by non core developers has
statistically been minimal.  This is perhaps due to the fact that an IDS
is far more complex than the usual fare of open source software users
periodically contribute code to.  It should be noted that new code is
still admitted to the Snort code base, spp_conversation and
spp_portscan2 being recent examples.

All of the code contributed to Snort over the past few years has been
subject to scrutiny.  As snort's architecture has progressed and become
more complicated, buggy code was examined and removed from the CVS tree
where necessary.  Any decision to remove code from CVS was not made in
a vacuum, it was made on the basis of performance, maintainability, and
usefulness.  All users and would-be developers have an equal opportunity
to contribute code to the project.  Likewise all would-be developers
should expect their code to be harshly scrutinized as a failure in an
IDS is unacceptable.  Snort has become widely used and well loved
precisely because the development team considers Snorts stability and
performance to be the highest priority.  Sourcefire and other non
Sourcefire core developers often benchmark Snort thoroughly. By
constantly evaluating and benchmarking the system, all Snort users are
continually receiving an improved product.  Confusion surrounding
statements such as where the system breaks down and which components
(since removed from CVS) may have caused it to crash would be best
addressed outside this message.

Additionally, most of the major contributed code has been in the area of
output plugins.  Since it was recognized that output processing could
become a major bottleneck in detection performance, we extended the
architecture to include a separate subsystem (Barnyard) to offload this
from the core system.  As Barnyard matures and becomes easier to use, we
expect to see much more contributed code in this area.  Several
companies have already expressed interest in making contributions.  It
was assumed the developers of the existing output plugins would port
over their existing  code to Barnyard.  However, this has not ever come
to pass and thus to bridge the gap, a (still incomplete) set of output
plugins have been written by the Barnyard developers that would produce
as much of the same output as possible with limited development hours.

Sourcefire's investors cannot "gain more control of Snort".  Their
influence is limited to what development hours Sourcefire is willing to
pay the Snort developers that work there.  Currently, Sourcefire is
willing to pay for development efforts for several of the core
developers and has hired other developers who would not have normally
worked on the project.  The benefits of all this work are given back to
every Snort user.  Look at stream4, frag2, spo_unified, etc if you have
any doubt.  Sourcefire is a company that actively supports the continued
open source development of Snort and is guided by Snort's author, who
has also maintained publicly that the best way for Sourcefire to be
successful is to make Snort the best IDS technology on the planet.

We, the undersigned, are solidly behind the current Snort development
effort and are not in favor of a code fork.

Andrew R. Baker  <andrewb () sourcefire com>
Jeff Nathan      <jeff () snort org>
Jed Haile        <jed () grep net>
Chris Green      <cmg () sourcefire com>
Brian Caswell    <bmc () snort org>
Erek Adams       <erek () theadamsfamily net>
Marty Roesch     <roesch () sourcefire com>
Dragos Ruiu      <dragos () dursec com>




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users