Re: [mod-security-users] CRS Issues being automatically closed?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] CRS Issues being automatically closed?
|
From: Bill S. <bi...@go...> - 2021-01-11 14:11:49
|
Christian, Thank you for the explanation. On Mon, Jan 11, 2021, 1:22 AM Christian Folini <chr...@ne...> wrote: > Hey Jamie, > > This is the mailing list for the ModSecurity engine. The CRS project has a > separate mailinglist over at > > https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project > > But let me answer your question nevertheless: > > You are correct and this configuration to close stale issues after 120 > days is > offensive. And we did not take it lightly. We have been struggling with not > being able to address all the issues for years. We tried different methods, > scheduling, assigning, highlighting, inviting the wider community to help, > tagging as "#goodfirstissue" etc. But it did not bring a real solution: > The > issues pile up and new issues (also vital ones!) can end up buried under a > pile that is too big to plough through. > > As most open source projects, CRS is a volunteer driven project. People > work > on CRS because they want to work on CRS. Some steal time from their > companies > to do so, some put their children to bed to hack away. But it is always > time > that our developers give to the project freely. I as a co-leader of the > project can not force issues into their hands. All I can do is making CRS a > fun project to work with and prepare the environment in a way that makes > it easy and cool to work on CRS. > > And the huge pile of issues started to have a chilling effect on > developers or > new developers. There is a moment where the pile is so big, you are not > even > addressing what you can address because of all the rest. Looking at the > 36 issues open right now feels managable and most issues are being > addressed. > (You can tell easily, since most open issues do have a conversation > history.) > > So we talked about the step a big deal and we took the decision about a > year > ago. Ultimately it was a decision to pick between the goodwill and health > of > the developers and the goodwill of individual users. I am really not happy > with the way it is and I have a new plan to help us address all the issues > before they get stale. But it is not quite ready to share. > > What can you do: If you care about an issue, then comment on it. We read > every > comment on every issue. If get the notice that the issue has been tagged > for > removal (the tag "Stale issue" is being applied 2 weeks or so before it > gets > closed), then comment on the issue and tell us you still care. Also > multiple > users chiming in give an issue priority in our eyes. We currently do an > issue > chat once a month (3rd Monday every month), where we look into 5-10 open > issues. One way to make sure an issue makes it into that meeting is the tag > "Meeting agenda". Ask us to add this tag and we will take it on the list. > > All in all, using the services of the stale issue bot is not a sign that > we do > not care. Quite the opposite. We care a lot and we feel bad about using the > stale issue bot. But it was the only solution we saw. > > Hope this explains our reasoning a bit. > > Best regards and thanks for speaking up, > > Christian Folini, CRS Co-Lead > > > > > > > On Mon, Jan 11, 2021 at 12:49:17AM +0000, Jamie Burchell wrote: > > Hi CRS Team > > > > I'm disappointed to see that issues I'm reporting (FPs) (e.g. > > https://github.com/coreruleset/coreruleset/issues/1864) are being > > automatically closed by stalebot. I fully understand that there may not > be > > the time nor the resources to address issues reported, and I know why > > stalebot exists, but I don't think rule issues that people have spent > time > > looking at and reporting should be closed before they are actually > > addressed. It certainly doesn't encourage me to continue reporting them > > moving forward. > > > > Cheers, Jamie > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
