[IntelMQ-dev] RFC on IEP007: Running IntelMQ as Python Library

L. Aaron Kaplan aaron at lo-res.org
Tue Apr 25 13:47:56 CEST 2023 

Hi Mika,

I will add that to the IEP, that's a good suggestion to add a background/motivation section.

But I know I have been discussing this idea with Sebastian (Sebix) years ago already and it came from the need to easily wrap intelmq functionality and bring it into other tools.

I hear you regarding API breakage. No one wants that and I guess we'll have to think carefully how to achieve this.
Good point.

But having intelmq be librarized would actually help a lot for integration into other tools. And these other tools could rely on the hard work of intelmq / parsers mostly to "get it right once and for all". So, in a sense, it would benefit the whole community.

That's my stance on it so far.
Hope my comments help to explain the motivation a bit (?)

Best,
Aaron.


> On 25.04.2023, at 13:43, Mika Silander <mika.silander at csc.fi> wrote:
> 
> Hi Sebastian,
> 
>  References to the discussions on motivations for the library proposal are welcome, but when and if you find them, IMHO I think the best location for them is the IEP itself. The document could for example, start with a "Background" or similar section that tries to answer why this is a desired thing, what benefits it would bring and maybe some examples. A long time ago I wrote a wrapper script that allowed chaining bots on the command line. It did of course not provide all the features that are outlined in your IEP, but it gave me the possibility to simple sampling of events and testing bots with e.g.
> 
> wrapper BotA | wrapper BotB | wrapper BotC ...
> 
>  so I was struggling to find good use cases to support a library implementation.
> 
>  What comes to the API-breaking vs. less intrusive implementation, I think I did understand these were two separate options, but the API-breaking I found a bit scary and reacted to that only. And yes, I can imagine it's been a big effort to reach versions 3.0 and 3.1. Had I known all the effort I've had to do put to the interconnected systems related to our IntelMQ setup (IntelMQ itself was not that hard), I would have never even started :-). Still, as said, my vote is on the less intrusive implementation option and sticking to KISS, but if it turns out the API-breaking one wins, please consider techniques that could provide some degree of backward compatibility as I suggested.
> 
>  I don't think I'm a very active debater on this forum, so it would be nice to read what other developers think. Especially the ones like me who do not form part of the core developers but just need to add some components and features of their own to IntelMQ.
> 
> Br, Mika
> From: "Sebix" <sebix at sebix.at>
> To: "intelmq-dev" <intelmq-dev at lists.cert.at>
> Cc: "Mika Silander" <mika.silander at csc.fi>
> Sent: Tuesday, 25 April, 2023 13:05:50
> Subject: Re: [IntelMQ-dev] RFC on IEP007: Running IntelMQ as Python Library
> 
> Dear Mika,
> 
> On 4/25/23 11:28 AM, Mika Silander wrote:
>  Reading through the IEP in question, I thought I would find reasons or motivations as to why having a library is desired. It's possible I've missed discussions or mails and the reasons have been discussed/documented elsewhere.
> Thanks for the input, I'll try to find some references from the 3.0 discussions when we first discussed this feature request in more details, or otherwise expand this section on my own.
>  If the implementation you choose for IEP is the API-breaking generator one
> 
> I think there was a misunderstanding: It is precisely the question if we also want to address this topic. It has its pros and cons, whereas the biggest downside is the API-breaking part with all its implications.
> 
> You know that it was a long and bumpy road towards IntelMQ 3.0, and accumulating multiple significant development steps in a short period was challenging (OTOH had the - temporary - development capacity at that time to make this leap). I'm fully aware that breaking changes can mean a lot of trouble and I'm all for small, separated steps (hence this IEP), which allow more straightforward discussion, review and maintenance. When writing PoCs for this IEP, I found a similar area for improvement in IntelMQ which could also be interesting to tackle. It is not up to me to decide the direction of the IntelMQ roadmap but to the community. Hence, I posed this question and asked for comments, and I am very grateful that you are contributing so actively through code and discussion.
> 
> best regards
> Sebastian
> -- 
> 
> Institute for Common Good Technology
> gemeinnütziger Kulturverein - nonprofit cultural society
> 
> https://sebix.at/
> 
> ZVR 1510673578
> 
> 
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> https://intelmq.readthedocs.io/

More information about the IntelMQ-dev mailing list