Monthly meeting agenda (March 2022)

[jptosso]

• Date: Wednesday, March 30 at 12 p.m. UTC
• Previous agenda: Monthly meeting agenda (Feb 2022) #162

Current agenda

1. Project status
2. Pending Feb topics
   1. Gift on PRs: @jptosso will bring proposals with price and "rules"
   2. Project core values: @jptosso will bring the proposal of core values
   3. Where to publicly store all coraza research? Public confluence, website, or GH wiki
   4. Side projects status and future (website, sandbox, docker, caddy, traefik, gin, and coraza-server)
   5. README structure
3. Optimize variable and prepare for persistence #186 (moved to v3)
4. Windows compatibility #207
5. Response Body Processor #187
6. Versioning strategies for Coraza #208
7. More hooks for plugins #190
8. Implement new directive for performance profiling #192
9. Rewrite debug log mechanism #196
10. Last discussions before v2 release #150

How to join?

1. Join OWASP slack: https://owasp.org/slack/invite
2. Join #coraza channel: https://owasp.slack.com/archives/C02BXH135AT

[syinwu]

Meeting Notes

Project Status

1. The project is now part of OWASP lab project, labeled as OWASP Coraza
2. New upcoming sponsor(TBD)
3. We have completed all milestones for v2 release
4. We have people interested in GSOC, feel free to join #coraza-gsoc
5. We have made a lot of progress in libcoraza(C wrapper)

Bug Bounties

We will offer a variety of gift options like mugs, shirts, stickers, etc. We will discuss it during the month.

Project Values

From @jcchavezs, add a new project value named stability

I think one of the good things about Coraza is that we not only want to be a port of modsec but include new features but good well-proven features are already designed so we just need to reinforce that and provide other new features, in that sense I think we should be careful about what we include because we would have to maintain that for long, maybe “maturity” isn’t the right wording but being careful with what we introduce and how is key IMHO. Something that expresses that we won’t introduce things half-baked.

Regarding Coraza Research Store

Website for the win

Side Projects Status:

1. Nginx connector: Under development, passing lots of tests but requires a lot of research, the code will be shared once libcoraza is finished
2. Sandbox: Abandoned project until we find someone to work on the UI side
3. Docker: Abandoned project, we must transform this into: coraza/coraza:coraza-server-2.0 coraza/coraza:coraza-caddy:2.0, where each subproject will handle their own images
4. Traefik: Abandoned, requires maintainer
5. Gin: Abandoned, requires maintainer
6. Caddy: Being maintained just to run tests, requires a maintainer
7. Coraza-Server: Under active development, @Bxlxx is working on it, it’s also a GSOC project
8. Coraza-SPOA: Under development, @Bxlxx has finished most of the work and he is testing it. We start with SPOA as a single project, as @Bxlxx proposes. And then we regroup and take a look afterward

Coraza in WASM

We make Coraza aware of tinygo and hence replace problematic libraries or adapt to tinygo with build tags. @jcchavezs will maintain this.

Windows Compatibility

Wait until we get an active "windows" contributor.

Response Body Processor

V3 issue.

Regarding Project Versioning

Feature-based. Whenever a feature that is considered core or awesome is required to break compatibility we release a major version. But It could easily lead to 3 major versions per year.

Other Topics

1. More hooks for plugins
2. Performance profiling
3. Rewriter debug log mechanism

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.