Snort mailing list archives
Re: RFC: Forking Snort
From: "Andrew R. Baker" <andrewb () sourcefire com>
Date: Tue, 02 Jul 2002 18:25:59 -0400
Dear Snort users, Jed's core assumption is incorrect, Snort development has been a team effort for a number of years. In addition to the handful of core developers who write most of the code, there are a number of other developers and users who actively participate in guiding the direction the project is headed. This group consists of people from numerous companies and non-profit organizations. For a time Jed Pickel was part of this group of core developers, but in January of this year he opted to leave due to lack of time to dedicate to the project. Snort is developed as part of a team effort, the team is led by Marty. Running the Snort project by committee can only serve to bring the speed at which the system is developed to a near crawl. The time spent wrangling over the most menial topics of Snort development would be moved to ivory tower mailing lists thereby preventing any effective work being done. A committee regulated by rules and regulations will neither improve the speed at which Snort is developed nor will it bring a better IDS to the community. IDS is a rapidly changing technology, for Snort to be useful as an IDS it must be able to adapt rapidly to the changing needs of its users. This will not be possible under committee style management. If IDS were a mature technology, like web servers and compilers currently are, then management by a committee *might* be feasible. Sourcefire as a company requires that Snort be the fastest, most robust, and most complete IDS available. This *is* what is required of Snort for Sourcefire to be successful. What does this mean for those who use Snort? Since Snort is licensed under the GPL, all of the changes Sourcefire has to make will also be covered under the GPL. This means that all the end users (and even the other companies that incorporate Snort into appliances - without contributing anything back to the project) will have the best IDS engine available on the market. Provided the aforementioned facts, the assertion that the goals of Sourcefire and the Snort community conflict is without merit. It is correct to state that there has been a sharp reduction in the amount of code contributed to the project. People seem to be pretty happy with the development direction and a lot of development is going into the 1.9 branch awaiting a stable release. The efforts of a few developers over the past several years have ensured that the most desired features are already there. Throughout the project's history, the amount of source code contributed by non core developers has statistically been minimal. This is perhaps due to the fact that an IDS is far more complex than the usual fare of open source software users periodically contribute code to. It should be noted that new code is still admitted to the Snort code base, spp_conversation and spp_portscan2 being recent examples. All of the code contributed to Snort over the past few years has been subject to scrutiny. As snort's architecture has progressed and become more complicated, buggy code was examined and removed from the CVS tree where necessary. Any decision to remove code from CVS was not made in a vacuum, it was made on the basis of performance, maintainability, and usefulness. All users and would-be developers have an equal opportunity to contribute code to the project. Likewise all would-be developers should expect their code to be harshly scrutinized as a failure in an IDS is unacceptable. Snort has become widely used and well loved precisely because the development team considers Snorts stability and performance to be the highest priority. Sourcefire and other non Sourcefire core developers often benchmark Snort thoroughly. By constantly evaluating and benchmarking the system, all Snort users are continually receiving an improved product. Confusion surrounding statements such as where the system breaks down and which components (since removed from CVS) may have caused it to crash would be best addressed outside this message. Additionally, most of the major contributed code has been in the area of output plugins. Since it was recognized that output processing could become a major bottleneck in detection performance, we extended the architecture to include a separate subsystem (Barnyard) to offload this from the core system. As Barnyard matures and becomes easier to use, we expect to see much more contributed code in this area. Several companies have already expressed interest in making contributions. It was assumed the developers of the existing output plugins would port over their existing code to Barnyard. However, this has not ever come to pass and thus to bridge the gap, a (still incomplete) set of output plugins have been written by the Barnyard developers that would produce as much of the same output as possible with limited development hours. Sourcefire's investors cannot "gain more control of Snort". Their influence is limited to what development hours Sourcefire is willing to pay the Snort developers that work there. Currently, Sourcefire is willing to pay for development efforts for several of the core developers and has hired other developers who would not have normally worked on the project. The benefits of all this work are given back to every Snort user. Look at stream4, frag2, spo_unified, etc if you have any doubt. Sourcefire is a company that actively supports the continued open source development of Snort and is guided by Snort's author, who has also maintained publicly that the best way for Sourcefire to be successful is to make Snort the best IDS technology on the planet. We, the undersigned, are solidly behind the current Snort development effort and are not in favor of a code fork. Andrew R. Baker <andrewb () sourcefire com> Jeff Nathan <jeff () snort org> Jed Haile <jed () grep net> Chris Green <cmg () sourcefire com> Brian Caswell <bmc () snort org> Erek Adams <erek () theadamsfamily net> Marty Roesch <roesch () sourcefire com> Dragos Ruiu <dragos () dursec com> ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RFC: Forking Snort Jed Pickel (Jul 02)
- Re: [Snort-devel] RFC: Forking Snort Ryan Russell (Jul 02)
- Re: [Snort-devel] RFC: Forking Snort james (Jul 02)
- Re: RFC: Forking Snort Erek Adams (Jul 02)
- Re: RFC: Forking Snort Martin Roesch (Jul 02)
- <Possible follow-ups>
- Re: RFC: Forking Snort Andrew R. Baker (Jul 02)
- sorta new at doing this with snort Don (Jul 04)
- Re: sorta new at doing this with snort Imran William Smith (Jul 04)
- sorta new at doing this with snort Don (Jul 04)
- Re: RFC: Forking Snort Jed Pickel (Jul 04)
- Re: RFC: Forking Snort Kyle R. Hofmann (Jul 04)
- Re: [Snort-devel] Re: RFC: Forking Snort Martin Roesch (Jul 04)
- Re: Re: [Snort-devel] Re: RFC: Forking Snort John Sage (Jul 04)
- Re: [Snort-devel] RFC: Forking Snort Ryan Russell (Jul 02)