fzipitria 12:01:56 UTC
👋
airween 12:03:20 UTC
hey, I'm here with an half eye, but unfortunately I'm very busy...
Roshan Piyush 12:18:13 UTC
👋
c z 12:19:02 UTC
👋
Juan Pablo Tosso 12:19:23 UTC
Hey! Sorry for the delay, the timezone changes in my country are messy
Juan Pablo Tosso 12:20:02 UTC
Well this haven’t been a very interesting month regarding changes to the project, but there has been a lot of unfinished activity that is important
Juan Pablo Tosso 12:20:15 UTC
Project Status
Juan Pablo Tosso 12:22:27 UTC
The same for CRS compatibility, we have figured some compatibility issues but we haven’t been able to fix them all.
Juan Pablo Tosso 12:23:16 UTC
For the C connector, we have been struggling with CGO, we need some help for this project, as CGO is hard and some experience would be appreciated. We currently have problems moving a C function callback into golang
Juan Pablo Tosso 12:23:37 UTC
Are there any comments or questions until now?
Roshan Piyush 12:25:55 UTC
I can take PR corazawaf/coraza#235 forward. IMO this would be a priority as it would lead to good bypasses.
Juan Pablo Tosso 12:26:57 UTC
Thank you Roshan, that would be awesome
airween 12:28:20 UTC
we could move forward in C connector, if the logger function would work... then we can make some test applications which embed the libcoraza, and start to measure the memory leaks - may be those are not real problems
Juan Pablo Tosso 12:28:59 UTC
That is another issue, how do we measure memory leaks
Juan Pablo Tosso 12:29:28 UTC
the problem with the C wrapper is that we must abandon the GO garbage collector to allow C to handle the memory
Juan Pablo Tosso 12:29:47 UTC
But once we want to clean the memory we must connect the objects back into golangs garbage collector
c z 12:29:52 UTC
This PR corazawaf/coraza#245 Is there any other design idea for logger, after discussion I think I can go ahead and finish it
Juan Pablo Tosso 12:30:23 UTC
Your design is fine but it is a breaking change
Juan Pablo Tosso 12:30:32 UTC
we cannot update waf.Logger as it would break the api
fzipitria 12:30:53 UTC
We were planning on a redesign for v3
fzipitria 12:31:29 UTC
that PR won’t be left out, we just need to make adjustments
fzipitria 12:31:41 UTC
IMHO, we should have one logger factory or similar
fzipitria 12:32:16 UTC
That can create audit, legacy, serial, concurrent, etc.
Roshan Piyush 12:32:36 UTC
For memory leaks. All I could think of was post cleanup force runtime.GC() and measure the allocated memory.
↳ Juan Pablo Tosso 12:33:04 UTC
Thank you Roshan, that would be helpful
fzipitria 12:32:41 UTC
Then anyone implementing that can move to logrus or others
fzipitria 12:32:59 UTC
Hmmm. We are overstepping each other 😄
fzipitria 12:33:31 UTC
Or we go for threads on a topic, or we keep discussing one each time 😉
Juan Pablo Tosso 12:34:16 UTC
I agree. Thank you @c z for your PR, and it will be merged once we start working on the v3 branch
Juan Pablo Tosso 12:34:47 UTC
Any other questions regarding the current PRs? and thank you @fzipitria for the explanation
Juan Pablo Tosso 12:35:55 UTC
Ok so we move on
c z 12:37:03 UTC
Thanks, @fzipitria and @Juan Pablo Tosso. And when does the v3 plan start?
Juan Pablo Tosso 12:37:13 UTC
that’s what we are going to discuss in a few minutes
Juan Pablo Tosso 12:37:22 UTC
let me continue with a few points and we will get there
Juan Pablo Tosso 12:38:29 UTC
Regarding funding, we are generating a few donations, and we are working with sponsors to receive more. Two meetings ago we discussed about bounties likes shirts, mugs, etc, but we agreed that they were not good enough
Juan Pablo Tosso 12:39:55 UTC
I would like to be able to tell sponsors why their money would be helpful. That’s why I would like to propose issue bounties and dev on-duty program
fzipitria 12:40:37 UTC
We had (and still have) a good experience in our dev on-duty program
Juan Pablo Tosso 12:41:12 UTC
Exactly, coreruleset have a great design for their program and we can learn from it, @fzipitria could you provide a short description?
fzipitria 12:41:25 UTC
Sure
fzipitria 12:41:35 UTC
We basically divide efforts weekly
fzipitria 12:41:51 UTC
People self assign a weekly (can be bi-weekly) calendar
fzipitria 12:42:09 UTC
And takes the lead on answering issues, and evaluating PRs
fzipitria 12:42:24 UTC
Doesn’t need to solve everything, by the way
fzipitria 12:42:45 UTC
but it will be the first line of response
fzipitria 12:43:15 UTC
If there is the need for a patch, more discussions, etc, then you drive it in that week
fzipitria 12:44:06 UTC
It is not a full day job. You are “around” our github to take care
fzipitria 12:44:25 UTC
You can take a look daily, during that week
fzipitria 12:45:03 UTC
At the CRS we also handle discussions on stackoverflow
fzipitria 12:45:16 UTC
But it doesn’t make sense for Coraza now
Juan Pablo Tosso 12:46:16 UTC
Thank you Felipe. In our case it would make sense, as we had a problem last week keeping discussions alive
Juan Pablo Tosso 12:46:37 UTC
so having a dev on duty program would encourage users to participate and keep the discussion flowing
Juan Pablo Tosso 12:47:30 UTC
Regarding the issue bounty, there are feature requests that are part of our roadmap and require a lot of work. It would be great to have paid bounties on them.
Juan Pablo Tosso 12:47:58 UTC
Any questions about these plans?
Juan Pablo Tosso 12:49:21 UTC
Also, does everyone agree with these plans?
Juan Pablo Tosso 12:51:05 UTC
Ok next topic: We know we have many enterprise users
Juan Pablo Tosso 12:51:12 UTC
fortune 500s
Juan Pablo Tosso 12:51:27 UTC
and interesting companies
Juan Pablo Tosso 12:52:04 UTC
I would like our community to encourage enterprise users for reviews and permission to add them to our README
Juan Pablo Tosso 12:52:35 UTC
If any of you belongs to an enterprise using Coraza, it would be amazing to have feedback or at least the chance to link them into our readme or website
Juan Pablo Tosso 12:54:13 UTC
Regarding coraza.io, our website is properly structured but it requires a major update
Roshan Piyush 12:55:16 UTC
And playground is down too.
Juan Pablo Tosso 12:55:37 UTC
That one is on me, I have asked Owasp for an AWS account but not success yet
fzipitria 12:55:50 UTC
I can help with that
Juan Pablo Tosso 12:56:05 UTC
that would be amazing, we will keep a parallel discussion for that one
Juan Pablo Tosso 12:57:02 UTC
I would like to take as reference this: https://coreruleset.org/docs/rules/
Juan Pablo Tosso 12:58:22 UTC
We will keep a discussion during this week for coraza.io, it is a long one
Juan Pablo Tosso 12:58:28 UTC
Finally coraza v3!
c z 12:58:35 UTC
We can find some templates, such as vuepress, gitbook and Hugo
Juan Pablo Tosso 12:58:49 UTC
we already use a hugo template, the problem is the content
Juan Pablo Tosso 12:59:11 UTC
I created the content almost two years ago, and there have been no updates
Roshan Piyush 13:00:06 UTC
Can we break this work into chunks. Would be easier to target.
↳ fzipitria 13:02:42 UTC
Good one. Let’s create issues on what needs to be documented
↳ Juan Pablo Tosso 13:03:15 UTC
Great, there are many things that were removed from the original project, we should start with them
Juan Pablo Tosso 13:00:33 UTC
Yes, I will take some time to create issues here https://github.com/corazawaf/coraza.io
Juan Pablo Tosso 13:00:47 UTC
I will post them here so people could assign them to theirselves
Juan Pablo Tosso 13:01:28 UTC
Regarding v3
Juan Pablo Tosso 13:02:13 UTC
I would like to propose the v3 version not as a major change (like in the original roadmap), but as an API redesign
Juan Pablo Tosso 13:02:26 UTC
we should fix v2 design issues and enhance extensibility
fzipitria 13:03:08 UTC
Excellent! We need this to be even more extensible
fzipitria 13:03:33 UTC
One thing we need to keep track though is supported versions
fzipitria 13:04:20 UTC
Also, documentation for v2 and v3 is going to run in parallel?
fzipitria 13:04:59 UTC
Probably for godoc we don’t have problems, but if we need to explain details further in the website docs, we need to be aware of that
fzipitria 13:05:17 UTC
That’s why having supported version would make our lives easier
Juan Pablo Tosso 13:05:50 UTC
So do you think we should version our documentation? for example https://coraza.io/docs/seclang/directives/ should migrate to https://coraza.io/docs/v3/seclang/directives/
↳ Roshan Piyush 13:07:13 UTC
Backporting docs would be painful though?
↳ Juan Pablo Tosso 13:07:23 UTC
Exactly
Juan Pablo Tosso 13:07:02 UTC
I think it could be hard to maintain, as we can barely maintain the website
Juan Pablo Tosso 13:07:40 UTC
So we should just specify what changed on each page
Juan Pablo Tosso 13:08:05 UTC
like docker documentation does
Juan Pablo Tosso 13:08:24 UTC
We add disclaimers on breaking changes
Juan Pablo Tosso 13:09:13 UTC
Ok so if everyone agrees with the development of v3, I would like to start tagging issues as v3
fzipitria 13:09:33 UTC
Sure, let’s create a milestone also
Juan Pablo Tosso 13:09:39 UTC
great
Juan Pablo Tosso 13:10:05 UTC
What would be a great starting point? Do you think we should create the branch right now and start pushing things? Or we should wait for more issues?
Juan Pablo Tosso 13:10:31 UTC
Also, what is the criteria to accept v3 issues
Juan Pablo Tosso 13:11:00 UTC
Finally, regarding supported versions, I would create a final v2.1 tag and maintain both, v3 and v2.1
fzipitria 13:12:08 UTC
We need to publish that, and also the criteria we are going to use.
fzipitria 13:12:51 UTC
Unless there are security issues, we should do that asap. Creating 2.1 tag.
Juan Pablo Tosso 13:14:01 UTC
I agree. So we should create an issue on this one
Juan Pablo Tosso 13:15:23 UTC
Ok, so now that we agree to work on v3, I will keep an open discussion here to work on it. Please take some time to review the v3 tagged issues and make your comments
Juan Pablo Tosso 13:15:29 UTC
is there anything else to discuss?
Juan Pablo Tosso 13:16:13 UTC
set the channel topic: OWASP Coraza Web Application Firewall
Roshan Piyush 13:16:15 UTC
I would like to get PR 235 to 2.1
Juan Pablo Tosso 13:16:57 UTC
Sounds fair, there is a 2.1 milestone, feel free to assign the PR
Juan Pablo Tosso 13:19:22 UTC
Ok, so any other topic?
Juan Pablo Tosso 13:19:42 UTC
Thank you everyone for your time, fantastic meeting
fzipitria 13:22:30 UTC
Thanks for leading it @Juan Pablo Tosso!