incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: [VOTE] ALOIS to enter the incubator
Date Thu, 26 Aug 2010 16:30:10 GMT
OK, I read the syntax of this sideways.

+1, binding, from me.

On Thu, Aug 26, 2010 at 12:26 PM, Urs Lerch <mail@ulerch.net> wrote:
> Hi
>
> There is, at least in my opinion, a very clear statement regarding the
> licencing:
>
>  = Source and Intellectual Property Submission Plan =
>
>  ALOIS is currently under a GPL licence. Since there are only two
>  contributors so far, both from the same company, there is no problem
>  to re-licence the code and contribute it to Apache. The commitment of
>  the company's owner has been granted.
>
> The names of the two contributors are listed elsewhere in the proposal.
> Do you think that ain't enough?
>
> Best
> Urs
>
>
> Am Donnerstag, den 26.08.2010, 12:17 -0400 schrieb Benson Margulies:
>> I don't see anything explicit in here about relicensing from GPL to
>> ASL. Perhaps that was hashed out before I joined the PMC?
>>
>> I'm +0 tending toward -1 without an explicit statement that the
>> copyright owners are known and on board with the license change.
>>
>> On Thu, Aug 26, 2010 at 12:09 PM, Urs Lerch <mail@ulerch.net> wrote:
>> > Hi,
>> >
>> > I would like to call a vote for accepting "ALOIS" for incubation in
>> > the Apache Incubator. The full proposal is available below and on the
>> > proposal wiki page (http://wiki.apache.org/incubator/AloisProposal).  We
>> > ask the Incubator PMC to sponsor it, with Scott Deboy volunteering as
>> > Champion and Mentor. Additional mentors are warmly welcome.
>> >
>> > Please cast your vote:
>> >
>> > [ ] +1, bring ALOIS into Incubator
>> > [ ] +0, I don't care either way,
>> > [ ] -1, do not bring ALOIS into Incubator, because...
>> >
>> > This vote will be open for 72 hours and only votes from the Incubator
>> > PMC are binding.
>> >
>> > Thanks,
>> > Urs
>> >
>> >
>> > --------------------------------------------
>> >
>> >
>> > = Preface =
>> >
>> > ALOIS is a log collection and correlation software with reporting and
>> > alarming functionalities. It has been implemented by the Swiss company
>> > IMSEC for a customer about five years ago. GPL-licenced, implemented in
>> > Ruby and completely based on other OSS-licensed components, it was
>> > designed for the open source community right from the start. Now that
>> > the software has shown its functioning over several years in production
>> > with the one customer and one IMSEC-internal installation, it seems to
>> > be the right time to open it to a wider community.
>> >
>> >
>> > = Abstract =
>> >
>> > ALOIS stands for „Advanced Logging and Intrusion Detection System“ and
>> > is meant to be a fully implemented open source SIEM (security
>> > information and event management) system.
>> >
>> >
>> > = Proposal =
>> >
>> > While almost all other SIEM software, be it closed or open source,
>> > concentrate on the technological part of security monitoring, ALOIS is
>> > aimed to monitor the security of the content. It intends to be
>> > pro-active in the detection of potential loss, theft, mistaken
>> > modification or unauthorized access. ALOIS works on log messages and
>> > thus contains all the basic functionality of a conventional SIEM, as
>> > centralized collecting, normalizing, aggregation, analyzing and
>> > correlating of all log messages, as well as reporting all security
>> > related events. Therefore it can be used as any other SIEM.
>> >
>> > ALOIS consists of five modules interacting to ensure a scaleable
>> > functionality of a SIEM:
>> >
>> >  * Insink is the message sink, which is the receiving entry point for
>> > all the different log messages into ALOIS. It is partly based on the
>> > syslog-ng software. Insink listens for messages (UDP), waits for
>> > messages (TCP), receives message collections (files, emails) and
>> > pre-filters them to prevent from message flow overload.
>> >
>> >  * Pumpy is the incoming FIFO buffer, implemented as a relational
>> > database tables. which contain the incoming original messages (in raw
>> > format). In a complex system setup, there may be several insink
>> > instances, e.g. for a group of hosts, for specific types of messages, or
>> > for high-avaliablity.
>> >
>> >  * Prisma contains logic to split up the text of log messages into
>> > separate fields, based on regular expressions. Actually, "prisma" is a
>> > set of "prismi", each one prisma for one type of log message (apache,
>> > cisco etc. Several prismi can be applied to the same message. This
>> > allows for stacked messages, i.e. forwarded log messages contained in
>> > compressed files contained in e-mail messages. The data retrieved form
>> > the log messages is stored in a database called Dobby. Due to prisma
>> > being written in Ruby, prismi can be applied interactively (when having
>> > system access).
>> >
>> >  * Dobby is the central log database. It should be separated from the
>> > Pumpy database for availability and performance reasons. The current
>> > implementation is based on MySQL.
>> >
>> >  * The Analyzer contains the two sub-systems Lizard and Reptor. Lizard
>> > is the analysis engine and user interface of ALOIS, implemented in Ruby
>> > on Rails using AJAX. It allows for interactive browsing through the
>> > collected data, exclusion/inclusion/selection of data, data sorting,
>> > data filtering, creation of views, ad-hoc textual and graphical
>> > reporting. Reptor allows for automatic activation of views and
>> > comparison of these views' results to a predefined result (pattern
>> > matching). In case of mismatch, Reptor sends the result to predefined
>> > e-mail addresses.
>> >
>> > Its modular design guarantees ALOIS to scale from little to large
>> > organizations. Since there exists a Debian package, it's easy to build a
>> > test system or even a productive system for small environments.
>> >
>> > Although the software has been in productive use for a few years, there
>> > is still a lot of desired functionality missing. The plugability of new
>> > connected systems is given, but needs some revision. It is a given goal
>> > of the project to allow modules in other programming language.
>> > Furthermore, it has been discussed if parts of the existing
>> > implementation may be replaced with other proven open source software,
>> > e.g. the correlation engine or the web frontend. The other way round, it
>> > has been discussed that the filter creation engine would make a good
>> > tool for any kind of structured data, and thus could be separated from
>> > ALOIS and standardized as a stand-alone tool.
>> >
>> >
>> > = Background =
>> >
>> > It's not simple to know what happens in a bigger network. There's a
>> > multitude of applications, services and appliances working together.
>> > Many of them provide some kind of events or state information. The
>> > network administrator needs to get hands on all of them. But they come
>> > in many different flavors and multiple canals. Therefore, it's hard to
>> > get the big picture. Furthermore, we have learned that it's impossible
>> > to protect a system against all malicious attacks and to keep all the
>> > possible faulty handling away. A monitoring of the systems to guarantee
>> > a pro-active handling is therefore needed..
>> >
>> > Therefore, more and more organizations collect and analyze all logfiles
>> > in a centralized system, called a SIEM (security information and event
>> > management). The technology provides two major functions for security
>> > events from networks, systems and applications: log management and
>> > compliance reporting (SIM – security information management) and
>> > real-time monitoring and incident management (SEM – security event
>> > management).
>> >
>> >
>> > = Rationale =
>> >
>> > Why another security information and event management system? It's true,
>> > there's already plenty of them. While the proprietary software is way
>> > too expensive for smaller to mid-sized companies, we find that the open
>> > source solutions are either too simple or not completely open. For
>> > example, behind each of the well known systems “OSSIM” and “Prelude”,
>> > there is a company that either closes central functionality for its own
>> > business or has dual licensing and therefore asks the full copyright for
>> > all contributed code.
>> >
>> > ALOIS is aimed to be totally free and open for all contributions. The
>> > openness provided for other programming languages is certainly proof of
>> > this. The plug-ability - yet to be further developed - is meant to
>> > guarantee that individual needs can be realized without stressing the
>> > whole system too much. In our opinion, the Linux kernel is a good
>> > example that this can work very well.
>> >
>> > Since we are in accordance with „the Apache way“, we would be very
>> > pleased if ALOIS could become part of the Apache community. In Addition,
>> > the Apache Logging Services would be a perfect home for the software.
>> > Furthermore, it's not the intention to compete with the already existing
>> > log viewer and analyzing tool „Chainsaw“. Since Chainsaw is a relatively
>> > easy tool, it meets a rather different need. Nevertheless, if the two
>> > projects use synergies, both can profit.
>> >
>> >
>> > = Initial Goals =
>> >
>> > When this project started ins 2005, there was no proven SIEM open source
>> > software and the commercial tools were way too expensive for the needed
>> > environment. Therefore, we decided together with a customer of ours to
>> > implement an open source SIEM tool from scratch. Now the software has
>> > run in a production environment for several years and has proven its
>> > functionality and reliabilty.
>> >
>> >
>> > = Current Status =
>> >
>> > == Meritocracy ==
>> >
>> > As already mentioned, ALOIS is already in production use in two
>> > organizations. All the code has been written by two persons of the same
>> > company in a paid employment relationship. It is obvious that this is
>> > way different from the open source approach within Apache. But
>> > nevertheless, the two developers have always worked as a team and the
>> > decisions were made in consensus whenever possible. But it is no secret,
>> > that these developers have to learn to behave in an open community.
>> > Understanding this potential problem, they already got support by a
>> > freelance consulter, who has the corresponding experience and knowledge.
>> >
>> > == Community ==
>> >
>> > Until today there is no real community, because the project hasn't been
>> > published officially, although it had been completely published on the
>> > web site for a couple of months (until a server relaunch). Convinced by
>> > the concept and design of the software, we are open and hope to reach
>> > many contributors and users. We think that it is realistic, because the
>> > SIEM issue has yet not been resolved in the OSS space.
>> >
>> > == Core Developers ==
>> >
>> > ALOIS was developed by Simon Hürliman and Flavio Pellanda, both employed
>> > by the company IMSEC. Concerning Design and Architecture, Marcus
>> > Holthaus, owner of IMSEC, gave his input as security specialist. Since
>> > the beginning of this year, Urs Lerch, a doctorate on the subject of
>> > commercial open source software development, supports the team with his
>> > knowledge. Simon Hürlimann has left the company three years ago, but is
>> > still active in the OSS environment (although not for ALOIS). Current
>> > employee Daniel Lutz (a Debian Developer) has also contributed to the
>> > project.
>> >
>> > == Alignment ==
>> >
>> > Besides that we strongly believe in the „Apache way“, we think that
>> > although that Apache hosts the Logging Services and different security
>> > projects, there is a gap when it comes to a superordinate security view.
>> > We therefore think it a good idea to add our SIEM project to the Apache
>> > repository. On the other side, Apache would become an even more complete
>> > software repository.
>> >
>> >
>> > = Known Risks =
>> >
>> > == Orphaned products ==
>> >
>> > Since the software is only maintained by employers of one company, there
>> > is a severe risk of being orphaned. But, on the one hand, the company
>> > has a sustained interest in keeping the project alive, because there are
>> > plans to offer services on top of ALOIS, and IMSEC uses the software for
>> > SIEM on their own systems. For this reason there exists a budget for the
>> > development and support of ALOIS. On the other hand, we believe that
>> > ALOIS is of great interest for other people and companies tied to IT
>> > security. Therefore, our step to the Apache incubator is also a step to
>> > a bigger community.
>> >
>> > == Inexperience with Open Source ==
>> >
>> > While ALOIS has always been licenced under the GPL, access to the source
>> > code, bug tracker and version control system has been restricted to
>> > internal users for most of the time. But the company has a strong
>> > believe in the open source movement and therefore engages its employees
>> > to take part in the community. Furthermore, it is also a strategic
>> > decision to build services on top of linux.
>> >
>> > We understand that the Apache Incubator is a great opportunity for us to
>> > get assistance, when it comes to specific questions on the open source
>> > development. Even more, the company has created a part time position for
>> > the open source community work.
>> >
>> > == Homogenous Developers ==
>> >
>> > Although ALOIS has been developed by employees of only one company,
>> > there is a thorough openness. The company is designed to stay small and
>> > therefore works with several independent partners. Furthermore, its
>> > employees work in geographically different parts of the country.
>> > Therefore, it is no new experience for the developers to work in a
>> > distributed environment and argue rather than to command. Already today
>> > the employees are enforced to document all face-to-face communication in
>> > the internal wiki. Sketches are photographed and stored in the project's
>> > digital folder.
>> >
>> > == Reliance on Salaried Developers ==
>> >
>> > Until today all the development of ALOIS has been made in a paid
>> > emplyoment. Therefore we know that this brings a significant danger.
>> > Since it is our stated aim to encourage participation and recruit
>> > commiters, we hope to eliminate this risk as soon as possible.
>> > Furthermore, the employees of IMSEC are all open source enthusiasts and
>> > are in one way or another active in the community. Although we have no
>> > certainty, there is good indication that the current commiters would
>> > continue their work on ALOIS, even if they wouldn't be paid for it.
>> >
>> > == Relationships with Other Apache Products ==
>> >
>> > The Apache Logging Service would be a perfect home for ALOIS as a
>> > centralized logging collection and analyzing tool. Furthermore, we think
>> > that we could share part of the code with the Chainsaw subproject, since
>> > both need similar functionality in the web frontend. Since it is our
>> > statet aim to replace our own code with proofen open source libraries,
>> > we are open for any collaboration with other projects. For example, the
>> > replacement of the MySQL with a NoSQL database might be useful for
>> > performance reasons; therefore HBase is a good candidate.
>> >
>> > == An Excessive Fascination with the Apache Brand ==
>> >
>> > The Apache brand is in fact for its own a very good reason to join the
>> > Incubator. But much more our desire to become part of the Apache
>> > Incubator is our strong believe in open source software in general and
>> > in the „Apache way“ in particular. We would love to learn from the
>> > experience and knowledge of the foundation's members and participants,
>> > which is an important part of the brand as well. The foundation has
>> > shown many times, that it has the processes and people to succeed in
>> > launching a project. We would be very proud to be part of this success
>> > story.
>> >
>> >
>> > = Documentation =
>> >
>> > The documentation is rather weak and scattered. It has mainly been
>> > maintained on a wiki and is open to improvement. Since we are totally
>> > aware that this is a killer for a successfull open source project, we
>> > have already started an internal project with its own budget to improve
>> > this shortcomming. Once the project has been launched, writing a blog or
>> > open a forum are other possibilities we already thought of.
>> >
>> > Furthermore, as the employees are used to work in a geographycally
>> > distributed environment, a lot of the internal communication happens in
>> > a chat. Thus, opening a new chat channel for the community is scheduled.
>> > (To document the discussions for all those who were off-line, we would
>> > send the logs daily to the mailing list.)
>> >
>> >
>> > = Initial Source =
>> >
>> > Although the initial source comes from a project for a customer. it has
>> > an open source licence since the beginning. Therefore it doesn't have
>> > any propriatary code in it. A thorough revision before releasing it to a
>> > public repository is recommend and is also in planning.
>> >
>> > The initial source will be a snapshot of the version control system,
>> > accompanied by a related debian package.
>> >
>> >
>> > = Source and Intellectual Property Submission Plan =
>> >
>> > ALOIS is currently under a GPL licence. Since there are only two
>> > contributors so far, both from the same company, there is no problem to
>> > re-licence the code and contribute it to Apache. The commitment of the
>> > company's owner has been granted.
>> >
>> >
>> > = External Dependencies =
>> >
>> > So far, no external dependencies are known. As mentioned before, a
>> > thorough revision of the codebase is in planning. There it can be
>> > controlled, that no other licence is affected by the code.
>> >
>> >
>> > = Cryptography =
>> >
>> > ALOIS does not involve cryptographic code.
>> >
>> >
>> > = Required Resources =
>> >
>> > == Mailing lists ==
>> >
>> > The following mailing lists will be required:
>> >
>> >  * alois-private
>> >  * alois-dev
>> >  * alois-commits
>> >  * alois-users
>> >
>> > == Subversion Directory ==
>> >
>> > https://svn.apache.org/repos/asf/incubator/alois
>> >
>> > == Issue Tracking ==
>> >
>> > JIRA ALOIS (ALOIS)
>> >
>> > == Other Resources ==
>> >
>> > We would like to open a chat channel. If this isn't possible within the
>> > infrastructure of Apache, we would love to do this in our own already
>> > existing infrastructure.
>> >
>> >
>> > = Initial Commiters =
>> >
>> >  * NAME             EMAIL                              AFFILIATION
 CLA
>> >  * Flavio Pellanda  flavio.pellanda at logintas dot ch IMSEC        no
>> >  * Urs Lerch        mail at ulerch dot net             IMSEC    
   no
>> >  * Daniel Lutz      daniel.lutz at logintas dot ch     IMSEC      
 no
>> >  * Marcus Holthaus  marcus.holthaus at imsec dot ch    IMSEC        no
>> >
>> >
>> > = Sponsors =
>> >
>> > == Champion ==
>> >
>> >  * Scott Deboy <sdeboy at apache dot org>
>> >
>> > == Nominated Mentors ==
>> >
>> >  * Scott Deboy <sdeboy at apache dot org>
>> >
>> > == Sponsoring Entity ==
>> >
>> > The Incubator PMC (requested) b
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message