8000 Monthly Chat Agenda June 2023 (2023-06-05 and 2023-06-19) · Issue #3221 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Monthly Chat Agenda June 2023 (2023-06-05 and 2023-06-19) #3221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
RedXanadu opened this issue May 22, 2023 · 2 comments
Closed

Monthly Chat Agenda June 2023 (2023-06-05 and 2023-06-19) #3221

RedXanadu opened this issue May 22, 2023 · 2 comments
Labels
🔖 Meeting Agenda

Comments

@RedXanadu
Copy link
Member
RedXanadu commented May 22, 2023
edited by theseion
Loading

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2023-06-05, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-06-19. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

Inside development

Rules

CRS Sandbox

  • FIXME: Please fill in

Security

  • We're currently tracking 3 security reports.

Plugins

  • FIXME: Please fill in

Documentation and Public Relations

Project Administration and Sponsor relationships

  • 🚀 Existing SILVER sponsor is upgrading to GOLD

Tools

  • go-ftw: added new flags to wait for services to be up (--wait-for... flags)
  • crs-toolchain: now with self-update! ™️

Testing incl. Seaweed and many future plans

  • No news here.

Containers

  • FIXME: Please fill in

CRS Status Page

  • On hold until CRS v4 is out.

Project discussions and decisions

  • Fix date and location for developer retreat: We're looking into spending Sat Nov 4 - Sat Nov 11 around Budapest in Hungary.
  • Proposal to rename the project from OWASP ModSecurity Core Rule Set to OWASP WAF Core Rule Set or simply to OWASP Core Rule Set by @fzipi. This will be more in line that we support other engines.
  • Item carried over from April and May meetings: agreed to formally add to the agenda for discussion at the June meeting.
    Coraza/libcoraza: Should the CRS project pay for someone to build an Nginx connector?
    • We were waiting on the imminent milestone release of Coraza due out in May: Coraza v3.
  • Item carried over from second May meeting:
    PR feat: scanner overhaul: new rules, new data files #3202
    • Is this really what we want?
    • How to maintain this - fix future FPs?
    • Do we do a tag? Which one?
  • Roadmap to CRS v4 release
  • v3.3.5. We agreed at the February meeting to do a 3.3.5 patch-based fix release with the scoring/PL fixes, along with a blog post.
    • Can we agree on the messaging that we're happy to publish to users, vendors, etc. (i.e. "we will not provide a formal fix release because <reason>") so that the blog post writing can begin now? Are we happy to just say "we don't have time to do a formal release"?
  • feat: updated ssrf.data and java-classes.data #3219: Do we want to include 127.0.0.1 and friends into the into ssrf rule?
  • 📝 Meeting agendas: GitHub issue editing is not very robust when there are multiple users… We're having problems whereby CRS team members accidentally overwrite each other's edits (and even overwrite their own edits!) when adding things to a meeting agenda GitHub issue. Even refreshing the page first doesn't always help. Is there a better system for us to use?
    • Collaborate in a Google Doc? Then we copy-paste it into a GitHub issue just before the meeting?
    • Something else?

Rules development, key project numbers

PRs that have been merged since the last meeting

We merged 9 PRs since the last monthly project chat.

Open PRs marked DRAFT or work in progress or needs action

Open issues and PRs

  • As of Monday, we have 113 open issues.
  • As of Monday, we have 18 open pull requests.

Separate 2nd Meeting (Monday, 2023-06-19)

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.
@RedXanadu RedXanadu changed the title Monthly Chat Agenda FIXME (2023-06-05 and 2023-06-19) Monthly Chat Agenda June (2023-06-05 and 2023-06-19) May 22, 2023
@RedXanadu RedXanadu changed the title Monthly Chat Agenda June (2023-06-05 and 2023-06-19) Monthly Chat Agenda June 2023 (2023-06-05 and 2023-06-19) May 22, 2023
@dune73 dune73 mentioned this issue Jun 2, 2023
Merged
@franbuehler
Copy link
Contributor
franbuehler commented Jun 5, 2023
edited by RedXanadu
Loading

Decisions June 5th

  • Fix date and location for developer retreat: We're looking into spending Sat Nov 4 - Sat Nov 11 around Budapest in Hungary.

🔵 Decision: Shift the dates to Sunday Nov 5th - Sunday Nov 12th

  • Proposal to rename the project from OWASP ModSecurity Core Rule Set to OWASP WAF Core Rule Set or simply to OWASP Core Rule Set by @fzipi. This will be more in line that we support other engines. -> We want to erase ModSecurity from our name and we want to develop a plan how to pull this off in a useful timeframe. We'll continue the conversation during the next few weeks how to get there.

🔵 Decision: General agreement to change the project name at some future time. Next steps are: create a plan; talk with our communications/PR partner; continue the discussion inside the project.

  • Item carried over from April and May meetings: agreed to formally add to the agenda for discussion at the June meeting.
    Coraza/libcoraza: Should the CRS project pay for someone to build an Nginx connector?
    • We were waiting on the imminent milestone release of Coraza due out in May: Coraza v3.

🔵 Decision: No concrete plans from the CRS side at this time, but CRS is still open to providing financial support (and Coraza now have an advert out to find a developer for this project). Issue left open for further thought and discussion.

🔵 Decision: Agreed with @dune73's proposal: keep a short list of known bad scanners and lose the rest (could be a plugin in the future). @dune73 agreed to prepare the necessary PRs.

  • Roadmap to CRS v4 release

🔵 Decision: Wait until the end of the week and see if the word list issues are completed, as these are holding up the CRS v4 release.

  • v3.3.5. We agreed at the February meeting to do a 3.3.5 patch-based fix release with the scoring/PL fixes, along with a blog post.
    • Can we agree on the messaging that we're happy to publish to users, vendors, etc. (i.e. "we will not provide a formal fix release because <reason>") so that the blog post writing can begin now? Are we happy to just say "we don't have time to do a formal release"?

🔵 Decision: General agreement. Focus on how much work it has taken to bring out CRS v4, and no time to complete a real 3.3.5 release. @RedXanadu agreed to write this.

🔵 Decision: Yes: add this in for RC 2 and see what happens.

  • 📝 Meeting agendas: GitHub issue editing is not very robust when there are multiple users… We're having problems whereby CRS team members accidentally overwrite each other's edits (and even overwrite their own edits!) when adding things to a meeting agenda GitHub issue. Even refreshing the page first doesn't always help. Is there a better system for us to use?
    • Collaborate in a Google Doc? Then we copy-paste it into a GitHub issue just before the meeting?
    • Something else?

🔵 Decision: Not discussed due to time constraints. To be considered before the next meeting.

@dune73 dune73 mentioned this issue Jun 19, 2023
Merged
@franbuehler
Copy link
Contributor
franbuehler commented Jun 19, 2023
edited
Loading

Decisions June 19

@fzipi fzipi closed this as completed Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔖 Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fzipi @RedXanadu @franbuehler
0