Snort mailing list archives
Re: [Snort-devel] Re: RFC: Forking Snort
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 03 Jul 2002 17:17:43 -0400
On 7/2/02 3:15 PM, "Matt Jonkman" <matt () jonkmans com> wrote:
Same sentiment. I don't necessarily think all the original issues mentioned are true, but I feel it would be more beneficial for the future development to have more maintainers, and a more committee-based direction. My organization has a few times (and this is no fault of or negative reflection on Marty) tried to contribute significant ideas, or significant chunks of code (Oracle support for example), and Marty wasn't able to respond.
Which organization is that?
Only by a little persistence and bullying were we able to get the code we are using back out to the community at large. I know he's not able to respond because of the load and enterprises he's managing now. So the natural step would be to get a few more people at the top to handle new code, the future, and the plugins.
I don't maintain the database plugin, I've never maintained the database plugin, why would I be the point of contact for future database plugin contributions? I probably dropped it immediately because it was improperly submitted to the wrong person (me) and you didn't read far enough into the docs to see that Jed/Roman are the guys that develop the database code in Snort. The suggestion that development by committee might somehow improve the odds of your code getting into the system when it's sent to a single developer (and the wrong one as well) doesn't solve the problem of people needing to use the existing development *group* more successfully. Do you think Linus would have any different response over on the Linux project with improperly submitted code?
I'm a big believer in the plugins. If you find a bad one don't use it. That gives you the ability to add whatever you need without impacting the entire community. I'm in a vertical market and could really contribute a few things we've learned about our industry, but they won't fit into rules. We need a plugin to do do things well. (We haven't developed anything yet, but could if that avenue were there) Marty should be devoting all his time and effort to the commercial efforts. That's what is going to feed his family (whether that's a family of humans or just hungry computers) and pay his bills and fill that retirement fund.
I'll decide how to distribute my time myself, thank you. Paying my bills is directly related to the quality of Snort now, take the next few logical steps to understand what this means in terms of Snort's quality and capabilities. Combine that with my commitment to keeping Snort open source and I think this whole notion of forking "for the good of the people" to be a false premise.
Whether we need an apache-style board, simply a few more maintainers, or start an open-source democracy I'm not sure. I think a tweak of the current model is in order though.
We've got 3 primary coders (Andrew, Chris and myself), several contributers (Dragos, Jeff Nathan, Fyodor, Chris Reid, etc) and 600+ people on snort-devel, I think that's plenty of people to talk to. If the code is vetted and accepted by the people who's opinions I trust, that's the express lane to getting code into the system. I get a lot of patches and contributions otherwise and only review what immediately piques my interest or what I can get to. -Marty
Matt ----- Original Message ----- From: "Jesse W. Asher" <jasher1 () tampabay rr com> To: "Jed Pickel" <jed () pickel net> Cc: <snort-users () lists sourceforge net>; <snort-devel () lists sourceforge net>; <focus-ids () securityfocus com> Sent: Tuesday, July 02, 2002 12:16 PM Subject: [Snort-devel] Re: RFC: Forking SnortAlthough I'm not sure I agree with all your observations, I definitely agree and support the drive to separate the commercial product from the open source product. As you say, these are at odds. Snort is successful because of its open source roots and it would be a shame to see that mentality abandoned. Jed Pickel wrote:This document is intended to gauge the interest of the Snort community in creating a fork of Snort that is governed by a consortium (similar to Apache's "Apache Software Foundation") rather than a single profit driven corporate entity. Below I will provide some background as to why I am bringing this up. There are advantages and disadvantages to this from nearly every perspective; thus, I encourage comments and discussion of all opinions. Snort has come to a critical point in its evolution. Due to the hard work from numerous developers and thousands of users, Snort is now monitoring many of the worlds most sensitive networks. Also, a growing number of companies are offering commercial solutions based on Snort and standardization efforts have leveraged Snort as a conduit toward furthering security standards. As a result, the number of Snort users continues to grow as it becomes more commercially accepted. Few would disagree that Snort has successfully become a "killer app". The challenge Snort now faces is how to avoid becoming a victim of its own success. Apache is an example of open source code that has successfully bridged the gap from killer app to significant piece of Internet Infrastructure. This success can be attributed to governing and regulating Apaches growth through a consortium. I believe Snort could benefit from the same type of arrangement. Unfortunately, the forces that have brought Snort this level of success are falling out of balance. With Marty at the helm of both a wildly successfully open source project and Sourcefire (a growing, soon to be 800 pound gorilla in the intrusion detection market) he is faced with answering to a board of directors on one hand and the security community on the other. These are opposing forces with dramatically different goals. It is simply not possible for a single person to serve both of these roles and act in the best interest of each. While the number of users of Snort is growing, the percentage of community contributed code is decreasing. The reasons for this are not immediately obvious. Although there is plenty of community interest in contributing code, these interests are aparently in conflict with the goals of Sourcefire. Thus, some contributions have had been subjected to stealth deletions, others have never been incorporated in the codebase or have been re-written by Sourcefire to be more accommodating toward their goals. The most successful of the contributed code has been subjected to consistent negative and inflammatory PR campaigns. Marty carries this out this by proclaiming to the community false and misleading statements such as --- "Many of the contributed plugins, Marty says, 'were bug-filled, crashy, and slowed things down.'"[1] This tactic began to manifest in an unhealthy way a little over a year ago, shortly after Sourcefire was getting started. One can only speculate the strategy of Sourcefire in the long run; however, it would be foolish to think the goals of Sourcefire do not include maximizing profits. I have plenty of respect for Marty and I believe he has the best of intentions; however, he is no longer the man with the final say at Sourcefire. The investors of Sourcefire now control the critical strategies and goals of the company. There will undoubtedly and understandably be pressure from Sourcefire investors to gain more control of Snort while creating barriers to entry and stifling the competition. There are a vast number of Snort add ons and wrappers (both open source and proprietary) that lead me to believe Snort is on the track toward becoming something of an operating system of intrusion detection that forms a base for numerous applications and business to grow and flourish. I would like to see an environment of healthy competition in this market to benefit the consumer, security community, and provide the opportunity for independent developers and business to find some niche and profit from their work. These are the reasons why I believe now is the time for the community to begin discussing forming a branch of Snort that is governed by a consortium that is not profit driven, but rather exists to support the best interests of the community and support healthy competition among all of the companies that are providing Snort based security solutions. This is a sensitive topic, but I believe the time has come to surface it. I'd like to hear your opinion... Is now the right time to begin considering a fork or branch or Snort? What benefits or advantages would this create for end users, business that use Snort, business that provide products or services based on Snort, or the security community as a whole? If a consortium were formed for governing a new fork of Snort who or what businesses, organizations, or individuals should that involve? All comments, flames, and opinions are welcome. The sole intention of this message is to initiate discussion. Regards, * Jed References ----------------------------------------- [1] http://newsforge.com/newsforge/02/06/29/2127239.shtml?tid=3-- Jesse W. Asher "They that can give up essential liberty to purchase a little temporary safety, deserve neither liberty or safety." - Benjamin Franklin ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-devel] Re: RFC: Forking Snort Martin Roesch (Jul 02)
- <Possible follow-ups>
- Re: [Snort-devel] Re: RFC: Forking Snort Martin Roesch (Jul 03)
- Re: [Snort-devel] Re: RFC: Forking Snort Matt Jonkman (Jul 03)
- Re: [Snort-devel] Re: RFC: Forking Snort Jeff Nathan (Jul 04)
- Re: [Snort-devel] Re: RFC: Forking Snort Matt Jonkman (Jul 03)
- RE: [Snort-devel] Re: RFC: Forking Snort Bob Walder (Jul 05)
- RE: [Snort-devel] Re: RFC: Forking Snort Bob Walder (Jul 05)