Matt,
According to the Sourcefire engineers we talked to
yesterday, CVS is down
due to a recent infrastructure upgrade. Once they get
everything worked out
internally they'll focus on getting the public CVS server
back online.
They're IT department (all 3 of them) is a bit taxed right
now...
Mario
-----Original Message-----
From: bleeding-sigs-bounces bleedingthreats.net
[mailto:bleeding-sigs-bouncesbleedingthreats.net]On
Behalf Of Matt
Jonkman
Sent: Wednesday, July 18, 2007 10:48 PM
To: 'Martin Roesch'; 'Snort Users'
Cc: 'Bleeding Sigs'
Subject: [Bleeding-sigs] RE: [Snort-users] What's up with
Snort's
license?
Appreciate the reply Marty. I'm the person who said you'd
slipped this in on
a Friday before a long weekend. I mentioned that because
that's what
happened the last time SF did something and then didn't
communicate with the
community for weeks afterwards. 3.0 license release I think
it was maybe? I
forget. But had someone mentioned that you had to do this in
a rush because
of outside factors we'd have known different....
And that time, and the time before, (and probably the time
before that IIRC)
you said SF was in the wrong by not putting out a note that
something was
changing right away, or even that you had to do something
and would be
explaining it shortly. When SF goes into a communication
blackout it's quite
obvious. The "I'm too busy" thing frankly doesn't
sound plausible. Over two
weeks is more than enough time for anyone to send out an
email that says
"We're aware of the situation, we'll update you
shortly". If you were
spending the time waiting for legal review then say so. And
let us know up
front that's what we're waiting for. Otherwise you just
foment the
conspiracy theories and undermine the corporate confidence
that snort will
remain stable and community oriented. But I think we've had
this
conversation before, so I won't beat the dead horse any
longer.
I haven't a problem with you protecting code and your
rights, but the
willy-nilly changing of others copyright is not something
that should happen
by accident. That's not like changing the colors on a
website, that's sacred
ground. Rushing through that was a huge hit to trust.
So my questions:
Will the coders that have more than trivial portions of code
in snort be
receiving a proportional chunk of the money you make when on
relicensing
Snort under the commercial license? Future and historical
contracts? That
seems a fair thing to do, unless you intend to buy out their
copyright?
That'd be fair as well. But in protecting the authors of
Snort (yourself and
others), you've got to consider all of them when the money
flows.
If they're not to be reimbursed under your relicensing
revenue, do they then
also have the right to sell snort under a commercial license
of their own?
Why's CVS down still? Why was it down in the first place?
Have you had the time now to identify exactly what issues in
GPLv3 are an
issue for SF? I've seen talk of the patent prohibition stuff
as being a
possible issue. Is that what's a concern for SF?
To be clear: I do appreciate your stewardship of Snort.
Better communication
would not put so many into a default hostile and suspicious
stance.
Matt
> -----Original Message-----
> From: snort-users-bounceslists.sourceforge.net
> [mailto:snort-users-bounceslists.sourceforge.net] On
Behalf
> Of Martin Roesch
> Sent: Thursday, July 19, 2007 4:49 AM
> To: Snort Users
> Subject: [Snort-users] What's up with Snort's license?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi everyone,
>
> I posted this message on my blog a few minutes ago,
please read it
> and let me know what you think if you're interested in
Snort
> licensing issues.
>
> - --
>
> There have been a lot of questions and speculation
about the things
> we (Sourcefire) have been changing in Snort's licensing
recently and
> it needs to be addressed so that we can clear the air.
>
> There are three things that people have been asking
questions about
> or having issues with.
>
> 1) GPL v2 lock that we put in place on June 29th.
> 2) "Clarifications" in Snort's license
language (Snort 3.0).
> 3) "Clarifications" with regard to
assignments of ownership for
> contributed code (Snort 3.0).
>
> Let me address these issues in order.
>
> 1) GPL v2 lock.
>
> Here's what happened. About 3 weeks ago I got a heads
up that under
> GPL v2, a licensee can choose to use GPL v3 if we don't
specify what
> version of the GPL to use; conceivably we could have
people forking
> and changing license on us. Seeing as GPL v3 didn't
even
> "ship" until
> June 29th we didn't feel like we were going to be able
to make any
> decision on the language that was contained in the new
version until
> we'd had some time to perform a formal legal review. It
also didn't
> help that they decided to release on the last day of
the quarter.
> Another contributing factor to the decision for me was
that Linus
> decided to keep the Linux kernel at GPL v2, that in
itself
> was enough
> to get me to hit the pause button and take some serious
time
> reviewing this new license before making any decision.
Linus himself
> said "I'm not arguing against the GPLv3. I'm
arguing that the GPLv3
> is wrong for _me_, and it's not the license I ever
chose." It's not
> the license we chose either and we're not moving to it
without a
> conscious decision to do so.
>
> If we didn't want the code base moving to the new
version then what
> could we do? The simplest thing given the time
constraints that we
> were working within was just to change the language in
the source
> file header preambles (and not the license itself)
noting that we
> were specifying Snort at GPL version 2 until we could
make a solid
> and informed decision about how we wanted to treat GPL
v3.
>
> For those of you with wholly contributed source files
where the file
> headers were changed, many (most/all?) of them referred
to "the
> program" as being under an indistinct version
number (not just your
> source files) and so rather than try to track everyone
down in the
> time frame we had to work with *I* made a unilateral
decision
> to just
> move forward with it and we'd clean up the mess
afterwards.
> I'm sorry
> for the "bull in the china shop" routine but
we felt like we needed
> to have this language out there before GPL v3 shipped
at noon EDT on
> June 29th. Clearly there were some mistakes made,
obviously we
> shouldn't have changed things like the BSD license on
the
> strl* files
> and so on, we'll fix that too. As Victor observed, this
was done in
> something of a hurry. BTW, we didn't try to "slip
it out on a
> Friday"
> per the note on some blog, Friday was the deadline and
we had to move.
>
> Where do we go from here? We're going to examine the
language in the
> new license and decide if we want to move forward with
it. This is
> going to take a while but we'll make an announcement
when we
> make the
> final decision. For those of you who have wholly
authored source
> files that would like the language changed for your
source
> files back
> to the original, with the provision that the language
reflect that
> you're just referring to your file and not the entirety
of the
> program, just let us (me) know and send us the verbage
you want and
> we'll make the change. For those of you who object to
this sort of
> thing all together that would like to maintain your
code as an
> external patch set for Snort instead of in the main
source
> tree, give
> us the heads up and we'll pull your code from the
source trees. Once
> again, this is with the provision that we may
reimplement the
> capabilities that your code offers as
Sourcefire-authored code if it
> happens to be something that we consider important to
the project.
>
> If anyone has any other input I'd be happy to hear it.
Contrary to
> what several groups with vested interests seem to be
promoting,
> Sourcefire isn't interested in closing Snort's source
code or making
> this a closed-source project. The community continues
to be
> important
> to us and we have no plans on that ever changing.
>
> 2) Snort 3.0 "clarifications" and the GPL
>
> There has been a fair amount of opinion being put forth
by people in
> the blogging world that Snort 3.0 will no longer be
"open
> source" due
> to the clarifications that we put in place. This is
just plain wrong.
>
> Sourcefire produces Snort as an open source project. My
interest as
> the guy who started this whole thing and who has worked
on and
> advanced this project for closing in on 9 years now has
always been
> how good we can make the technology and how well we can
serve the
> needs of the community. Now that Snort has my company
behind it, the
> priorities really haven't changed but there's an
interesting dynamic
> out there with companies that are using Snort as a part
of their
> product or service offering. Many of them seem to
expect us to work
> on this technology and improve it continuously so that
their
> offering
> is cutting edge but contribute nothing to the project
and complain
> bitterly whenever we do something that might cost them
some money to
> continue to use a best-of-breed technology like this.
>
> It's Free as in "Free Speech", not Free as in
"Free Money" people!
> Companies that use Snort as part of a service or
product seem to be
> having a tough time accepting this. The goal of the new
licensing
> language is to define what we consider to constitute
> conditions under
> which something built on or around Snort is a
derivative work
> subject
> to the stipulations of the GPL (i.e. putting the
derivative code
> under the GPL license). Despite all the gnashing of
teeth that has
> resulted from this clarification, what we've really
done is take
> about the most "open" stance you can with a
GPL project and put it
> out there, true open source champions should be
applauding us
> for our
> position.
>
> That didn't happen. Instead we've gotten a litany of
grousing from
> the blogerati, primarily because we've offered a
commercial license
> for people who don't want to play by the rules of the
GPL in their
> product and service offerings that will (*gasp*!) cost
money. If
> you're licensing technology from Sourcefire (which all
of you using
> the GPL version of Snort are doing) and you don't wish
to live under
> the terms of that license, we're giving you another one
to choose
> from. If you don't like having world-class security
technology
> available for a fee because it affects your cost
structure, that's
> not my problem. If you want to use it for free then you
have to live
> by the license but people always seem to interpret the
GPL in ways
> that are optimally advantageous to them (if they don't
just take the
> code directly and bury it in their product). The
clarifications we
> put into Snort 3 are there to get us all on the same
page and
> to make
> sure that commercial users of the technology understand
that we're
> not a "venture technology" company, giving
them technology for free
> to enable their business models which frequently
compete against us
> in some regard. There's nothing wrong with using Snort
as a part of
> your commercial offering as long as you adhere to its
> license. If you
> can't do that then we need to talk.
>
> At the same time we've taken many measures to ensure
that the end
> users of the technology are unaffected. Want to
integrate Snort or
> part of Snort into your open source project? No
problem, it's free.
> Want to deploy 100 home-made Snort sensors in your
non-profit/
> enterprise/government organization ? Go for it. Want to
learn how
> these systems work at the code level? No problem, it's
all there.
> Want transparency of your security technology and the
content that
> drives it? It's all there, as it should be. Want to
have access to
> the internals to extend or correct or add your own
value to the
> project or just your operational environment? All part
of the open
> source concept, make it happen. Want to fork and make
your own IPS
> project built on the code-base? You can do that, just
make sure you
> understand what you're doing in maintaining proper
licensing for the
> forked project and respect our IP.
>
> I personally have *always* been the biggest advocate
for the
> users of
> Snort since the day this company was formed and I
always will be.
>
> 3) Snort 3.0 and IP assignments
>
> This is the most controversial provision of the
clarifications that
> we put into the Snort 3.0 license. Basically what it
says is:
>
> * By sending these changes to Sourcefire or one of the
Sourcefire-
> moderated
> * mailing lists or forums, you are granting to
Sourcefire, Inc. the
> unlimited,
> * perpetual, non-exclusive right to reuse, modify,
and/or relicense
> the code.
> * Snort will always be available Open Source, but this
is important
> * because the inability to relicense code has caused
devastating
> problems for
> * other Free Software projects (such as KDE and NASM).
We also
> occasionally
> * relicense the code to third parties as discussed
above. If
> you wish to
> * specify special license conditions of your
contributions, just say
> so when
> * you send them.
>
> So what's that mean? If you send a patch to the mailing
lists or to
> Sourcefire, if you contribute code to the Snort project
we consider
> that code and it's IP to be "assigned" to us.
The reason for doing
> this should be pretty clear, we don't feel that
contributing
> a 3-line
> patch to a 200k+ LOC codebase means that the
contributer has
> copyright claims over Snort at that point. In the early
years there
> were many people who contributed (in any way) to Snort
but over the
> years since Sourcefire was incorporated the total
contribution by
> these external contributers has decreased
substantially. After that,
> Sourcefire developed more and more of the code,
especially the core
> functionality of the detection engine and
preprocessors, not to
> mention tons of the rules as well. I have felt for a
long time that
> we need to have a sense of proportionality about this
and we should
> also have the ability to be flexible with the code base
in terms of
> licensing without needing to approach every contributer
individually
> to get sign-off on any changes that we make. That's why
we've put
> this provision into Snort 3.0.
>
> This "assumptive assignment" is exactly what
projects like Nmap use.
> Perhaps we should take the next step and use the FSF's
model where
> contributers to projects like GCC need to sign a legal
document
> explicitly to contribute to the project. The FSF does
this because
> they need to have flexibility but also because they
need to get out
> from under any potential problems that may occur due to
someone
> inappropriately contributing IP from a 3rd party. I
don't like that
> concept because of the overhead associated with
interacting with the
> project, Snort's not a huge project like GCC so I've
liked that
> people can contribute as they see fit. The FSF does
take one
> additional step, they guarantee that the projects that
people make
> assignments to will be available as open source
projects in
> perpetuity. I think that maybe we need to make a
statement like that
> but quite frankly it's always been our position that
Snort will
> always be available as Free Software and we have no
intention to
> change our position ever.
>
> I think that the part of this provision that people
have had
> the most
> trouble with is that we also retain the right to
relicense the
> contributed code under alternative licenses. We have to
be
> able to do
> that if we're going to offer alternative licenses to
Snort,
> maintaining a "patch free" code branch and a
"patch tainted" branch
> doesn't make any sense to me and probably not to you
either. The
> assignment doesn't mean we're going to
"steal" your code and
> "disappear" it CIA-style. It means that we
need to be able to retain
> the right to offer it under our commercial license. The
code you
> contribute will always be available to you and everyone
else in the
> open source code base, we're not going to steal it but
we are going
> to make it available to our commercial users. If you've
got a
> problem
> with this, don't contribute the code to us, maintain it
as an
> external patch.
>
> That's about it. I'm sorry we haven't been as
communicative with the
> OSS community as we probably should be, I personally
have a lot of
> demands on my time and I'm the person at SF who's the
most familiar
> with the totality of the Snort project so I have a lot
of input into
> the process here and I'm also fairly parochial
regarding
> communicating concepts like this to the user community.
In
> the future
> I'll try to be more forthcoming with all of you and I
hope you'll
> continue to be patient with both me and Sourcefire; our
> hearts really
> are in the right place with the users of this
technology but we also
> have to be pragmatic about how all of this is going to
work
> given all
> of the commercial use that Snort sees.
>
> We're trying to be pragmatic about these issues, I hope
that people
> can feel comfortable with the direction that we're
taking things. I
> look forward to reading people's responses.
>
> -Marty
>
> - --
> Martin Roesch - Founder/CTO, Sourcefire Inc. -
+1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
>
iD8DBQFGnmCYqj0FAQQ3KOARAr6wAJ9H4EKBvqQIBsI7dx+H7bFb6hnvVACe
ICZu
> kqjs5CsDqD8cQhP2LA9hUpM=
> =BWUO
> -----END PGP SIGNATURE-----
>
>
------------------------------------------------------------
--
> -----------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2
express and take
> control of your XML. No limits. Just data. Click to get
it now.
> http://sourcefor
ge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
Appreciate the info Mario. Maybe their email servers are
down as well,
which is preventing them from telling anyone about cvs. 
Thanks for the word!
Matt
Detore, Mario R. wrote:
> Matt,
>
> According to the Sourcefire engineers we talked to
yesterday, CVS is down
> due to a recent infrastructure upgrade. Once they get
everything worked out
> internally they'll focus on getting the public CVS
server back online.
> They're IT department (all 3 of them) is a bit taxed
right now...
>
> Mario
>
> -----Original Message-----
> From: bleeding-sigs-bouncesbleedingthreats.net
> [mailto:bleeding-sigs-bouncesbleedingthreats.net]On
Behalf Of Matt
> Jonkman
> Sent: Wednesday, July 18, 2007 10:48 PM
> To: 'Martin Roesch'; 'Snort Users'
> Cc: 'Bleeding Sigs'
> Subject: [Bleeding-sigs] RE: [Snort-users] What's up
with Snort's
> license?
>
>
> Appreciate the reply Marty. I'm the person who said
you'd slipped this in on
> a Friday before a long weekend. I mentioned that
because that's what
> happened the last time SF did something and then didn't
communicate with the
> community for weeks afterwards. 3.0 license release I
think it was maybe? I
> forget. But had someone mentioned that you had to do
this in a rush because
> of outside factors we'd have known different....
>
> And that time, and the time before, (and probably the
time before that IIRC)
> you said SF was in the wrong by not putting out a note
that something was
> changing right away, or even that you had to do
something and would be
> explaining it shortly. When SF goes into a
communication blackout it's quite
> obvious. The "I'm too busy" thing frankly
doesn't sound plausible. Over two
> weeks is more than enough time for anyone to send out
an email that says
> "We're aware of the situation, we'll update you
shortly". If you were
> spending the time waiting for legal review then say so.
And let us know up
> front that's what we're waiting for. Otherwise you just
foment the
> conspiracy theories and undermine the corporate
confidence that snort will
> remain stable and community oriented. But I think we've
had this
> conversation before, so I won't beat the dead horse any
longer.
>
> I haven't a problem with you protecting code and your
rights, but the
> willy-nilly changing of others copyright is not
something that should happen
> by accident. That's not like changing the colors on a
website, that's sacred
> ground. Rushing through that was a huge hit to trust.
>
> So my questions:
>
> Will the coders that have more than trivial portions of
code in snort be
> receiving a proportional chunk of the money you make
when on relicensing
> Snort under the commercial license? Future and
historical contracts? That
> seems a fair thing to do, unless you intend to buy out
their copyright?
> That'd be fair as well. But in protecting the authors
of Snort (yourself and
> others), you've got to consider all of them when the
money flows.
>
> If they're not to be reimbursed under your relicensing
revenue, do they then
> also have the right to sell snort under a commercial
license of their own?
>
> Why's CVS down still? Why was it down in the first
place?
>
> Have you had the time now to identify exactly what
issues in GPLv3 are an
> issue for SF? I've seen talk of the patent prohibition
stuff as being a
> possible issue. Is that what's a concern for SF?
>
> To be clear: I do appreciate your stewardship of Snort.
Better communication
> would not put so many into a default hostile and
suspicious stance.
>
> Matt
>
>
>> -----Original Message-----
>> From: snort-users-bounceslists.sourceforge.net
>> [mailto:snort-users-bounceslists.sourceforge.net] On
Behalf
>> Of Martin Roesch
>> Sent: Thursday, July 19, 2007 4:49 AM
>> To: Snort Users
>> Subject: [Snort-users] What's up with Snort's
license?
>>
> Hi everyone,
>
> I posted this message on my blog a few minutes ago,
please read it
> and let me know what you think if you're interested in
Snort
> licensing issues.
>
>>
------------------------------------------------------------
--
-----------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
