[Snort-users] Re: [Snort-devel] RFC: Forking Snort
jed at ...2168...
Wed Jul 3 13:31:31 EDT 2002
On Tuesday 02 July 2002 12:50 am, you wrote:
> Unfortunately, the forces that have brought Snort this level of success
> are falling out of balance. With Marty at the helm of both a wildly
> successfully open source project and Sourcefire (a growing, soon to be
> 800 pound gorilla in the intrusion detection market) he is faced with
> answering to a board of directors on one hand and the security community
> on the other. These are opposing forces with dramatically different
> goals. It is simply not possible for a single person to serve both of
> these roles and act in the best interest of each.
You completely fail to provide any reasoning about how Sourcefire and the
security community have dramaticly different goals. Or even more importantly
how Marty's goals with Sourcefire stand to harm Snort. You fear this might be
the case, but you have no proof.
One question: What interest could Sourcefire possibly have in irritating the
many users of Snort? None. Sourcefire is hoping to win customers, not
alienate people. I can assure you that every decision that Marty and the rest
of the development team makes is done with *lots* of consideration about how
that decision will effect the users.
I'm sure that Sourcefire's board and management are equally aware that
keeping the Snort user community happy will be an important part of any
future success. If Snort users decide that Sourcefire is a trustworthy
company, then they might decide to spend some money with Sourcefire.
> While the number of users of Snort is growing, the percentage of
> community contributed code is decreasing. The reasons for this are not
> immediately obvious. Although there is plenty of community interest in
> contributing code, these interests are aparently in conflict with the
> goals of Sourcefire. Thus, some contributions have had been subjected to
> stealth deletions, others have never been incorporated in the codebase
> or have been re-written by Sourcefire to be more accommodating toward
> their goals.
The rapid growth and acceptance of Snort over the past year tells me
something right is being done with Snort, not something wrong. Sourcefire has
been around for about a year. Perhaps Sourcefire allowing a number of people
to concentrate on Snort full time is a benefit? It's not as if Sourcefire has
been changing Snort and withholding the changes from others. It's not as if
Marty has announced that all future versions of Snort will be under some
other license. Instead Sourcefire has been paying for new Snort development,
and Marty has stated many times that Snort will remain under the GPL.
I have recently had significant new code introduced into Snort, so I have
direct evidence to indicate that Snort development is still open to
developers at large who are willing to make a contribution. Perhaps Snort
isn't seeing lots of new contributions because most users need no new
features, or are unable to contribute at this time.
Another thing I should point out, as one of the developers of hogwash, is
that if you want to do your own thing with Snort, have at it. Marty and the
rest of the Snort team have been fully supportive of the hogwash team's
efforts. Hogwash is in many aspects a fork of Snort, it is also a project
that I hope to one day see merged with Snort. Marty has expressed that he
would like to see that also.
> The most successful of the contributed code has been subjected to
> consistent negative and inflammatory PR campaigns. Marty carries this
> out this by proclaiming to the community false and misleading statements
> such as --- "Many of the contributed plugins, Marty says, 'were
> bug-filled, crashy, and slowed things down.'" This tactic began to
> manifest in an unhealthy way a little over a year ago, shortly after
> Sourcefire was getting started.
Maintaining code is tough work. Maintaining somebody elses code is even
harder. Every bit of code that gets removed or added is a decision that is
made by a number of people. It is irresponsible of you to state that removing
buggy/unmaintained/slow code is an unhealthy attitude. Snort is good, fast,
and stable because the development team makes the very difficult decision of
what code to keep and what code to axe. No code was removed as a result of
Marty making a lone decision. Just because you have not been active in recent
development and maintenance of Snort doesn't imply that nobody else is
Furthermore, I do not see how removing code because it is buggy or slow is
inflammatory. Unless the developer who submitted the code had his feelings
hurt. It is unreasonable to expect a performance oriented project where
users demand extreme stability to blindly accept and keep any piece of code
simply because somebody submitted it. It is also unreasonable to submit some
code, get it accepted into wide use, and then walk away from it and expect
somebody else to maintain it how you would have done it.
> One can only speculate the strategy of Sourcefire in the long run;
> however, it would be foolish to think the goals of Sourcefire do not
> include maximizing profits. I have plenty of respect for Marty and I
> believe he has the best of intentions; however, he is no longer the man
> with the final say at Sourcefire. The investors of Sourcefire now
> control the critical strategies and goals of the company. There will
> undoubtedly and understandably be pressure from Sourcefire investors to
> gain more control of Snort while creating barriers to entry and stifling
> the competition.
Before you accuse Marty, or Sourcefire, of any such misbehavior in a public
forum perhaps you should come up with some evidence. I have already given
evidence on how Sourcefire is helping to advance Snort, and why it is
apparent to me that it would be contrary to Sourcefire's interests to do
anything to upset the huge crowd of Snort users. If I were a shareholder in
Sourcefire, I would be extremely upset if anything was done to drive away the
vast pool of potential customers that Snort users represent.
What you are engaging in here is little more than fear mongering. If we are
going to question motives, what is your motive in doing that?
> There are a vast number of Snort add ons and wrappers (both open source
> and proprietary) that lead me to believe Snort is on the track toward
> becoming something of an operating system of intrusion detection that
> forms a base for numerous applications and business to grow and
> flourish. I would like to see an environment of healthy competition in
> this market to benefit the consumer, security community, and provide the
> opportunity for independent developers and business to find some niche
> and profit from their work.
The simple fact that so many companies exist who are trying to profit in some
way from Snort indicates to me that the environment is healthy.
> These are the reasons why I believe now is the time for the community to
> begin discussing forming a branch of Snort that is governed by a
> consortium that is not profit driven, but rather exists to support the
> best interests of the community and support healthy competition among
> all of the companies that are providing Snort based security solutions.
Perhaps Linus should give up control of the linux kernel to a consortium of
IBM, RedHat, Mandrake, Caldera, etc. Perhaps GVR should give python up to a
board of folks from ActiveState, MS, RedHat, and so forth. There are many
open source projects with considerable financial activity going on about them
that have the benevolent dictator model. Many have become extremely
I believe that Snort still has more growing to do. I think that Snort
development needs to remain extremely responsive to changing needs. I do not
believe for a single moment that any "consortium" of people, most of whom are
competitors, could ever hope to come to an agreement on anything. Much less
making hard decisions on what code to keep/drop and what architectural
changes to make. At that point Snort development will become a political
process instead of an engineering process. Look at any standards process for
ample evidence of how such a process is doomed to work. How will that benefit
any of the Snort user base?
Each project has it's own culture. Part of the Snort project's culture is
Marty's leadership style and his personality. Marty has given an unthinkable
amount of time and energy to Snort. Many many people have benefitted from his
work, and many others have been inspired to follow his lead and contibute
their own time and effort. Marty has always been honest and has always taken
his responsbilities to all Snort users extremely seriously. I also know that
his greatest concern when he founded Sourcefire and when he pursued investors
was that the Snort project and it's communtiy would continue to enjoy the
same freedoms that we all enjoy from free software.
The fact of the matter is there is more than one person with CVS access,
there are people other than Marty who can review code, and insert it into the
base distribution. There is a core team of developers, and all decision
making by Snort is done by that team. Core developers come and go as they
become active/inactive in the project.
> This is a sensitive topic, but I believe the time has come to surface
> it. I'd like to hear your opinion... Is now the right time to begin
> considering a fork or branch or Snort? What benefits or advantages would
> this create for end users, business that use Snort, business that
> provide products or services based on Snort, or the security community
> as a whole? If a consortium were formed for governing a new fork of
> Snort who or what businesses, organizations, or individuals should that
In my opinion Snort has never been better. I cannot think of any way to
better insure that Snort will remain what it is today, except to allow the
existing process to continue. There is a process to how development is done,
before you criticize the process you should learn how it is being done.
If you really feel like you can do better, then go off and do it. Fix the
bugs, and try to find developers who have the time and skills. Write the
docs, answer the emails, etc. Implement new functionality. Learn how to make
the process work. Make your own reality.
I find many of the statements you made to be either ungrounded, uninformed,
incomplete or inaccurate. Many of them seem to be crafted to create
controversy. That is entirely an unfair thing to do to Marty, and the rest of
the developers, and does not do anything to help make Snort better. Please do
not clutter things with unfounded speculation, accusations, and FUD.
More information about the Snort-users