coreruleset
Irregular meeting agenda & 4.0 checklist - 11 April 2022
Meeting notes of 11 April 2022.
Checks
- [x] is #2417 ok?
- [x] is #2417 tested on coraza? -> Not yet, will be done during RC1.
- [x] is #2349 ok?
- [x] xanadu PR to remove DoS rules from base? #2469
- [x] plugins ready? -> no. decide on plugin activation/deactivation mechanism. -> There are multiple scenarios:
- A plugin is always enabled. (I think we all agree that’s not an option anymore)
- A plugin is enabled unless it’s explicitly disabled. (Easy installing, but tweaking is possible)
- A plugin is enabled when it’s explicitly enabled. (More work to install a plugin, with same capabilities as the former.) Option 2 is chosen with no dissent.
- [x] plugin activation variable: stick to the plugin names, useful for scripting. Example:
TX:dummy-plugin_enabled - [x] are there any blockers that would warrant shifting the RC1 (a few days) into the future so we can fix them before unleashing them on the testers?
- [x] are there any PRs we ideally want to include, if reasonably quick? -> yes, #2490
- [x] go/no-go on RC1. -> no-go at this point.
Date for RC1
- There is a little bit of work left, but not too much.
- As some reviews and all plugin changes are necessary, we won’t make it within a few days.
- Easter holiday is coming up on next Friday to Monday.
- Decision: Reschedule the RC1 to Tue 19 after Easter - assuming all todos are taken care of:
Todo before RC1
- [x] #2488 - will be tested and merged by @lifeforms
- [x] #2483
- [x] #2490 - has a comment that should be resolvable quickly, then include it.
- [x] Ensure all the plugins follow scenario 2 (default enable, unless
TX:dummy-plugin_enabledis 0) - @lifeforms and @theseion will fight. First update the dummy plugin, then leave 24hr for comments, then copy the mechanism to all the plugins. - [ ] Put a notice in crs-setup.conf.example where the exclusions were. Put links to find the plugins and tell about their automatic activation, unless you disable them. @lifeforms
- [x] There was also a point about all plugins missing CRS copyright notices by accident… @RedXanadu will get that sorted.
Todo before release
- [ ] is #2417 tested on coraza? Compability is a must have for our final release.
Todo after release
- [ ] #2680 - Bring back IP reputation functionality as 2 separate plugins. See comment
What about this for RC1? https://github.com/coreruleset/coreruleset/issues/2486
@azurit I think we can talk about making this an official plugin, but there is no need to make sure it is in RC1. Plugins will have their own release cycle. And if it is not there when we release 4.0, then maybe 2-4 weeks afterwards.
It's also a a relatively special use case. Or rather a plugin aimed at one possible procedure to work on false positives. I use a different one, but I see how this one could work as well.
I added gtid_subset (and others) as a response to these tweets but it really shoud be catched in PL1.
#2480 did not carry the v4 milestone tag / label so far. So it has not really been considered.
@lifeforms is the release manager and with the Monday meeting we are now in the release mode, so the decision is now formally his.
I think #2480 is excellent and I want it! It's a bit like the rule I did for PHP - move the often triggering false positive words to PL2. I was a bit confused about moving the original ruleId to PL2, but I see where it makes sense (people can keep their existing exclusions). It looks good so I'm merging it. Thank you @azurit !
