A long time ago, I used to be one of the more active snort developers. I
ended up working at Sourcefire and worked with them for roughly two years.
There's a very clear pattern that seems to happen; security product gets
associated with commercial entity and the primary developer community is
either absorbed or alienated. Communication about new features becomes
company knowledge rather than community. It makes perfect sense that the
company controls what they release.
The open source folks aren't pulling their weight any longer is a common
developer complaint. At least from the snort side, I look back and think
"Wow, we did a horrible job of harnessing the people that were looking for a
summer project". Seeing the SoC stuff from google was exciting to me
because it shows it can be done. Even cooler, is google harnessed their
competitive recruiting culture into public works.
I am making some big assumptions below, please correct me if I'm wrong:
* Gcc - primarily funded by hardware developers, from what I've read from
porting to X arch. I don't know where the major revisions come from, I
always thought it was them working to make gcc more portable to lower
porting costs. Making it developer funded didn't work (GnuPro toolkit I
believe was the attempt by cygnus)
* Apache httpd - multiple groups with vested commercial interests in having
reliable service. Everyone had the same problem at the same time.
* Eclipse - IBM. But what are they doing right? There is a metric crap
load of developer documentation and plugins for that seem to spawn like mad.
The developer docs are *awesome*.
* emacs - people that code their editor don't have to go far to jump from
Lisp -> C. At least XEmacs has had difficulties with developer time. Major
changes get talked about for MANY years before someone gets the effort to
pull them together.
* nmap - I'm constantly impressed by the new features that are added. I
don't see much discussion of features on the devel side but I see TONS of
communication on "what's next" when you have something in the works. What
doesn't work for you?
* snort - Multiple commercial "downstream interests"; One developer group
with potentially competing signature models; Biggest problem is all the
competing people work on Front Ends rather than improving the backend.
Their signature feeds was an attempt to address that. I wouldn't be
surprised to see binary plugins. Or folding their detection stuff into
other products.
* nessus - Most people that worked on scaling problem used alternative
framework rather than extending out what's there. I wouldn't be surprised
to see nessus get binary plugins (maybe bytecode), rather than NASL to
protect IP. A large portion of the "fun" plugin community for that has
seemed to move over to Metasploit Framework.
Throw in that competent security folks usually have more work to do than
hours in the day and the attention span for a free security developer shoots
off the radar.
Besides security, what makes nessus and snort a special case from other open
source projects? What does it take to mentor the fresh faces into our
community before they end up with a non-compete in the security industry? Is
it that there's less IT slack time these days with all the management level
awareness?
What would it take to pull an security "Eclipse"?
If anyone knows someone trying to get a degree focused around project
management, it would be a paper I'd love to read. I think it's a serious
problem because very few people that write a tool between 19-25 will still
be maintaining it when they are 40.
--
Chris Green
PS: All my opinions are mine, not UAB , not Sourcefire, or anyone else for
that matter.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Oct 05 2005
Intro
