Juan Pablo Tosso 12:55:15 UTC
Maybe we could enforce all new features as plugins
Juan Pablo Tosso 12:55:22 UTC
once we get enough feedback we merge them to the core
fzipitria 12:55:59 UTC
That would work… if people know how to do it 😄
Juan Pablo Tosso 12:56:19 UTC
That requires writing a lot of documentation but it’s one of my priorities next month
fzipitria 12:56:35 UTC
Documentation enables contributors 😄
fzipitria 12:57:00 UTC
We should write more (docs) to write less (code)
Juan Pablo Tosso 12:57:07 UTC
ok so we encourage new plugins instead of core features and we might evaluate merging them with 2/3 votes ?
fzipitria 12:57:50 UTC
The thing is: where is the line for a plugin vs. core?
Juan Pablo Tosso 12:57:52 UTC
Btw most Coraza features supports plugins, body processors, actions, operators, directives, log engines, etc
ShiMing Q 12:58:05 UTC
The thing is how to encourage more people/company joining to use/contribute on this project.
Juan Pablo Tosso 12:58:23 UTC
Creating this baselines is the first step
fzipitria 12:58:29 UTC
Ok, seems fair.
ShiMing Q 12:58:51 UTC
Make sense.
fzipitria 12:58:57 UTC
So we should have that clear distinction on core vs plugins/modules and that’s it
Juan Pablo Tosso 12:59:21 UTC
Yep, there are two type of features, the ones that can be a plugin and the ones that cannot
fzipitria 12:59:24 UTC
If people is creating actions, operators, body processors, then it is a module/plugin
fzipitria 12:59:37 UTC
Than if tested, can go to the core
fzipitria 12:59:46 UTC
Agreed on that
Juan Pablo Tosso 13:00:34 UTC
Cool, so Core features: should go by a 2/3 voting Non Core Features: should start as plugins/modules, if tested they can go to the core
Juan Pablo Tosso 13:02:13 UTC
Cool, about the plugin repository I would like to skip it for this meeting until we have more definitions on the plugins and more documentation
fzipitria 13:02:24 UTC
Agreed
bxlxx.wu 13:02:31 UTC
agreed
Juan Pablo Tosso 13:03:00 UTC
Fine. So we have some budget and we should evaluate gifting shirts or something for PRs, what do you think about it ? But we should establish some rules
fzipitria 13:03:44 UTC
That would be awesome, but who/how is that going to work?
Juan Pablo Tosso 13:03:50 UTC
bxlxx.wu 13:04:05 UTC
Do we have budget? awesome!
Juan Pablo Tosso 13:04:05 UTC
Printify can handle all gifts worldwide
fzipitria 13:04:12 UTC
Do they?
fzipitria 13:04:22 UTC
Sometimes they are a pain: customs, etc.
fzipitria 13:04:47 UTC
We can try, of course
Juan Pablo Tosso 13:05:20 UTC
So there are countries that won’t have a good time receiving gifts because of customs
ShiMing Q 13:05:21 UTC
Did you consider the digital gift, such as digital badge.
fzipitria 13:05:49 UTC
OWASP would not mind, but we can ask formally
Juan Pablo Tosso 13:05:51 UTC
I think IT people really enjoy shirts :rolling_on_the_floor_laughing: but I’m all ears (eyes))
bxlxx.wu 13:06:24 UTC
Multiple products to choose from?
fzipitria 13:06:40 UTC
Let’s go around asking first other projects, and we can regroup next meeting?
Juan Pablo Tosso 13:06:52 UTC
sure, seems fair to me
bxlxx.wu 13:06:56 UTC
coraza doll?
Juan Pablo Tosso 13:06:59 UTC
we will gather more info on this
Juan Pablo Tosso 13:07:22 UTC
We will review this again on next meeting with more information if you all agree
Juan Pablo Tosso 13:07:42 UTC
Next topic, vulnerability handling
fzipitria 13:08:32 UTC
We do have a SECURITY.md, right?
Juan Pablo Tosso 13:08:51 UTC
Juan Pablo Tosso 13:08:53 UTC
it’s the default github security.md
fzipitria 13:09:12 UTC
Excellent.
Juan Pablo Tosso 13:09:27 UTC
Should we create an email group to receive 0day reports?
fzipitria 13:09:28 UTC
I would say we should give a GPG key
fzipitria 13:09:36 UTC
For encrypted comms
fzipitria 13:09:53 UTC
I don’t like gmail that much for this
Juan Pablo Tosso 13:10:23 UTC
Which service could we use to get the reports?
bxlxx.wu 13:10:41 UTC
Do we have a bulletin board to post these fixes?
fzipitria 13:10:44 UTC
email is good, as long it is encrypted
Juan Pablo Tosso 13:11:06 UTC
@bxlxx.wu we can use github advisories
Juan Pablo Tosso 13:11:17 UTC
fzipitria 13:11:38 UTC
Yeah, that’s an easy one
fzipitria 13:11:50 UTC
I say we stick to GH for this
Juan Pablo Tosso 13:12:07 UTC
great, and where do we receive the reports?
Juan Pablo Tosso 13:12:32 UTC
we could have an email address like [email protected] and forward it to core contributors and co-leaders
Juan Pablo Tosso 13:12:41 UTC
using GPG
bxlxx.wu 13:13:06 UTC
agreed
Juan Pablo Tosso 13:13:50 UTC
Ok so do we agree on forwarding [email protected] to all core contributors and co-leaders and posting advisories on github?
Juan Pablo Tosso 13:14:14 UTC
great
Juan Pablo Tosso 13:14:26 UTC
I think this will be the final topic
Juan Pablo Tosso 13:14:30 UTC
Project values
Juan Pablo Tosso 13:14:50 UTC
I think this is super important because it’s the baseline of everything we are
Juan Pablo Tosso 13:15:11 UTC
When I created the project I thought about Simplicity, Extensibility, Innovation, Community. But now I want your opinion
fzipitria 13:15:55 UTC
What will the core values imply? If something is not simple, it will be rejected?
Juan Pablo Tosso 13:17:26 UTC
it talks about what makes the project: We keep it simple, most people should be able to contribute We keep it extensible, you should be able to easily extend more capabilities We innovate, we accept new features because it seems cool We are a community, you can participate, everything is public and transparent
ShiMing Q 13:18:23 UTC
Is this project the replacement for the previous modsecurity?
↳ fzipitria 13:18:56 UTC
Hopefully not. It should be better.
Juan Pablo Tosso 13:18:54 UTC
that is an important topic, technically we can replace it but we are not a replacement, we are coraza, not modsecurity
Juan Pablo Tosso 13:19:18 UTC
the first phase of the project was compatibility
Juan Pablo Tosso 13:19:25 UTC
the next phase should be keep compatibility but make it awesome
fzipitria 13:20:21 UTC
I would say We innovate, we accept new features because it seems cool 👉 We innovate, we accept new features from anyone
fzipitria 13:20:47 UTC
It is redundant to say it is cool: we all know that we are cool 😛
Juan Pablo Tosso 13:21:11 UTC
yep, so defining the project is something that requires a lot of work
Juan Pablo Tosso 13:21:41 UTC
I will bring some proposals for the next meeting so we can review it but it would be cool to get some ideas from you all
fzipitria 13:21:52 UTC
Sure
Juan Pablo Tosso 13:21:54 UTC
what defines OWASP coraza
Juan Pablo Tosso 13:22:09 UTC
what is coraza for you? what would you like it to be?
fzipitria 13:22:38 UTC
For me the most important part is Community
Juan Pablo Tosso 13:23:00 UTC
exactly, coraza was moved from my personal repo to a organization because of that
ShiMing Q 13:23:06 UTC
Let’s create, we can create it together.
bxlxx.wu 13:23:07 UTC
Projects used by every enterprise
Juan Pablo Tosso 13:24:24 UTC
fzipitria 13:24:31 UTC
I would say let’s bring a more down to earth wording for next meeting maybe
Juan Pablo Tosso 13:24:40 UTC
I created this discussion so you can post your ideas
Juan Pablo Tosso 13:24:49 UTC
it will be discussed during the next meeting
Juan Pablo Tosso 13:25:18 UTC
There are a few pending topics, but we will add the current meeting results to the meeting issue on GH
Juan Pablo Tosso 13:25:33 UTC
We leave them for the next meeting !
Juan Pablo Tosso 13:25:36 UTC
Anything to add?
Juan Pablo Tosso 13:25:44 UTC
I have to go in 5 mins 😅
Juan Pablo Tosso 13:26:49 UTC
Thank you everyone for your time! we made history today 😜
fzipitria 13:26:52 UTC
Awesome, good meeting!
fzipitria 13:27:02 UTC
See you next one! 👋
ShiMing Q 13:27:23 UTC
Cherrs
bxlxx.wu 13:32:20 UTC
It’s OK with me