Dev Retreat 2022 Topics
We distinguish between Project (-> big project running multiple days) and Workshop (-> Brainstorming sessions).
Below is the proposal of the preparation team.
ATTENTION: We will look through the open bug bounty findings Saturday (-> grouping!) and then all hands working on them all through Sunday. This will then allow us to reassess the situation Sunday night and decide just how much more work this takes.
- Prepare 4.0 release
- Update all the keyword lists + tools + ideas for keeping our list up to date
Schedule: Starting Tuesday
Volunteers:
- theseion
- Felipe
- Franziska
- theMiddle
- There should be one rule at least corresponding to each finding before releasing v4
- This includes separate report with SQLi findings
Schedule: Saturday evening, Sunday all day, during the week as needed
Volunteers:
- Everybody present
- There are a few issues in regexp-assemble that ought to be fixed for 4.0
- Move our older regexes to new format: https://github.com/coreruleset/coreruleset/issues?q=is%3Aopen+sort%3Aupdated-desc+label%3A%22%3Amage%3A+regexp-assembly%22+
Schedule: Starting Tuesday
Volunteers:
- theseion
- Felipe
- Status page where we test CRS integrations like Azure / AWS / Cloudflare with our test suite and then we give them scores
- We've done a good start at the dev-retreat in 2021, then some advances during the year, then it came to a halt when the dev retreat took over
- We want to push this forward during the retreat
Schedule: Starting Tuesday
Volunteers:
- Christian
- Andrew
- Felipe
- Ervin
- Franziska
- Add exclusions for most popular WordPress plugins to our WP plugins / modules.
- Focus on this rule exclusion plugin since it's the most widespread CMS and we can really make a difference here.
- Ideas including automatic testing of WP with the most important modules, maybe using Selenium or something similar to simulate real application usage to gather false positives.
Schedule: Starting Tuesday
Volunteers:
- theMiddle
- Planning workshop: Where do we want to go with the project
- Includes planning for more documentation, closing holes in our list
Schedule: Monday morning
- Crash course in Regexp-Assembly
- Learn to use the tool
Schedule: Tuesday afternoon
- All our releases are performed by Walter
- We need to share the workload and we need to automate more of it
- Major pain point: Backporting of rule updates
- We also need to define the supported versions
Schedule: Wednesday afternoon
- Project growth means that some devs are not attending our sync chats anymore. So it's harder to keep everybody on the same page. We will need to evolve without risking the good things that we have.
- How to deal with the natural flow of developers coming and going?
- Project governance (likely it won’t be Christian/Felipe/Walter until their pension date)
- We have a lot of sub-projects now, plus plugins and initiatives and it's hard to keep it all together with our work of collaboration. But formally introducing sub-projects risks splitting our project.
Schedule: Thursday afternoon
Schedule: We'll put up a flipchart somewhere and people can add their ideas during the week.
- Share experience about dev-on-duty
- talk about an update to the program
- look ahead
- Plan to talk project structure during the retreat
- During the Bug Bounty resolution, we lacked a formal security incident lead and it showed
- We are also not documenting the process formally enough, so it is hard to reproduce results and decisions
- We have a very lean approach to security reports, but it feels like we need more administrative overhead
- Formally running a big corpus of random prose payload against our rules to gauge the FP rate of individual rules.
- Think about sources beyond wikipedia
- Think about the huge amount of data and CPU power this would consume
- English or more than English?
- Libinjection is stalled and we are suffering
- What can / should / want we to do about it
...
| Name | Type | Description |
|---|---|---|
| Pushing Project Seaweed | Project | This is the GSoC automatic processing of CVE proof of concepts |
We need to solve the bug bounty stuff first. GSoC student is also transitioning into a new job, we'll pick this up after 4.0 comes out and integrate it into our tool box.
These are the confirmed activities: TBD