w3af-develop Mailing List for w3af (Page 7)
Status: Beta
Brought to you by:
andresriancho
Menu
▾
▴
w3af-develop — dev list for w3af
You can subscribe to this list here.
| 2008 |
Jan
(20) |
Feb
(36) |
Mar
(45) |
Apr
(83) |
May
(100) |
Jun
(86) |
Jul
(68) |
Aug
(143) |
Sep
(41) |
Oct
(58) |
Nov
(47) |
Dec
(66) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(41) |
Feb
(33) |
Mar
(115) |
Apr
(61) |
May
(68) |
Jun
(83) |
Jul
(64) |
Aug
(33) |
Sep
(18) |
Oct
(62) |
Nov
(61) |
Dec
(24) |
| 2010 |
Jan
(38) |
Feb
(24) |
Mar
(56) |
Apr
(31) |
May
(19) |
Jun
(5) |
Jul
(13) |
Aug
(12) |
Sep
(34) |
Oct
(32) |
Nov
(37) |
Dec
(13) |
| 2011 |
Jan
(50) |
Feb
(56) |
Mar
(15) |
Apr
(12) |
May
(39) |
Jun
(16) |
Jul
(23) |
Aug
(7) |
Sep
(10) |
Oct
(32) |
Nov
(44) |
Dec
(40) |
| 2012 |
Jan
(40) |
Feb
(78) |
Mar
(21) |
Apr
(88) |
May
(56) |
Jun
(89) |
Jul
(55) |
Aug
(37) |
Sep
(31) |
Oct
(47) |
Nov
(13) |
Dec
(8) |
| 2013 |
Jan
(24) |
Feb
(20) |
Mar
(12) |
Apr
(23) |
May
(27) |
Jun
(22) |
Jul
(18) |
Aug
(14) |
Sep
(5) |
Oct
(7) |
Nov
(2) |
Dec
(1) |
| 2014 |
Jan
(7) |
Feb
(13) |
Mar
(52) |
Apr
(23) |
May
(3) |
Jun
|
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
(4) |
Feb
(7) |
Mar
(8) |
Apr
(3) |
May
|
Jun
(2) |
Jul
(12) |
Aug
(15) |
Sep
(9) |
Oct
(3) |
Nov
(4) |
Dec
(10) |
| 2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Andres R. <and...@gm...> - 2014-03-21 17:00:49
|
But... you do have osx to run some tests, right? On Fri, Mar 21, 2014 at 1:58 PM, Leandro Reox <lea...@gm...> wrote: > I have a mac ... but it runs Debias as main os :) > > On Mar 21, 2014 1:38 PM, "Robin Wood" <ro...@di...> wrote: >> >> On 21 March 2014 16:35, Andres Riancho <and...@gm...> wrote: >> > You chickened out ;) ;) >> >> I don't have a Mac any more thank god. >> >> > On Fri, Mar 21, 2014 at 1:31 PM, Robin Wood <ro...@di...> wrote: >> >> On 21 March 2014 16:26, Andres Riancho <and...@gm...> >> >> wrote: >> >>> Robin, Leandro, >> >>> >> >>> Thanks for volunteering, to help please join the IRC [0] so we can >> >>> chat. I'm __apr__ at the #w3af channel, I'm available now and until >> >>> 3pm GMT-3 (aprox) >> >>> >> >> >> >> Wasn't volunteering just pointing out the time had passed but I just >> >> realised I mis-read it it as 2PM GMT to 3PM GMT not 2PM GMT-3. >> >> >> >> Robin >> >> >> >>> [0] http://w3af.org/community >> >>> >> >>> On Fri, Mar 21, 2014 at 1:15 PM, Leandro Reox <lea...@gm...> >> >>> wrote: >> >>>> I can help you Andres >> >>>> >> >>>> On Mar 21, 2014 12:53 PM, "Andres Riancho" <and...@gm...> >> >>>> wrote: >> >>>>> >> >>>>> List, >> >>>>> >> >>>>> I'm trying to fix an ugly bug that only affects Mac users [0] >> >>>>> and >> >>>>> because I don't have any installations of that OS it is really hard >> >>>>> to >> >>>>> make any progress. Could someone give me a hand? All you need is >> >>>>> some >> >>>>> time, minimal python knowledge and the will to help. >> >>>>> >> >>>>> Find me at 2pm GMT-3 (in one hour) at IRC >> >>>>> http://w3af.org/community >> >>>>> >> >>>>> [0] https://github.com/andresriancho/w3af/issues/485 >> >>>>> >> >>>>> Regards, >> >>>>> -- >> >>>>> Andrés Riancho >> >>>>> Project Leader at w3af - http://w3af.org/ >> >>>>> Web Application Attack and Audit Framework >> >>>>> Twitter: @w3af >> >>>>> GPG: 0x93C344F3 >> >>>>> >> >>>>> >> >>>>> >> >>>>> ------------------------------------------------------------------------------ >> >>>>> Learn Graph Databases - Download FREE O'Reilly Book >> >>>>> "Graph Databases" is the definitive new guide to graph databases and >> >>>>> their >> >>>>> applications. Written by three acclaimed leaders in the field, >> >>>>> this first edition is now available. Download your free book today! >> >>>>> http://p.sf.net/sfu/13534_NeoTech >> >>>>> _______________________________________________ >> >>>>> W3af-develop mailing list >> >>>>> W3a...@li... >> >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >>> >> >>> >> >>> >> >>> -- >> >>> Andrés Riancho >> >>> Project Leader at w3af - http://w3af.org/ >> >>> Web Application Attack and Audit Framework >> >>> Twitter: @w3af >> >>> GPG: 0x93C344F3 >> >>> >> >>> >> >>> ------------------------------------------------------------------------------ >> >>> Learn Graph Databases - Download FREE O'Reilly Book >> >>> "Graph Databases" is the definitive new guide to graph databases and >> >>> their >> >>> applications. Written by three acclaimed leaders in the field, >> >>> this first edition is now available. Download your free book today! >> >>> http://p.sf.net/sfu/13534_NeoTech >> >>> _______________________________________________ >> >>> W3af-develop mailing list >> >>> W3a...@li... >> >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> > >> > >> > -- >> > Andrés Riancho >> > Project Leader at w3af - http://w3af.org/ >> > Web Application Attack and Audit Framework >> > Twitter: @w3af >> > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Leandro R. <lea...@gm...> - 2014-03-21 16:58:30
|
I have a mac ... but it runs Debias as main os :) On Mar 21, 2014 1:38 PM, "Robin Wood" <ro...@di...> wrote: > On 21 March 2014 16:35, Andres Riancho <and...@gm...> wrote: > > You chickened out ;) ;) > > I don't have a Mac any more thank god. > > > On Fri, Mar 21, 2014 at 1:31 PM, Robin Wood <ro...@di...> wrote: > >> On 21 March 2014 16:26, Andres Riancho <and...@gm...> > wrote: > >>> Robin, Leandro, > >>> > >>> Thanks for volunteering, to help please join the IRC [0] so we can > >>> chat. I'm __apr__ at the #w3af channel, I'm available now and until > >>> 3pm GMT-3 (aprox) > >>> > >> > >> Wasn't volunteering just pointing out the time had passed but I just > >> realised I mis-read it it as 2PM GMT to 3PM GMT not 2PM GMT-3. > >> > >> Robin > >> > >>> [0] http://w3af.org/community > >>> > >>> On Fri, Mar 21, 2014 at 1:15 PM, Leandro Reox <lea...@gm...> > wrote: > >>>> I can help you Andres > >>>> > >>>> On Mar 21, 2014 12:53 PM, "Andres Riancho" <and...@gm...> > wrote: > >>>>> > >>>>> List, > >>>>> > >>>>> I'm trying to fix an ugly bug that only affects Mac users [0] and > >>>>> because I don't have any installations of that OS it is really hard > to > >>>>> make any progress. Could someone give me a hand? All you need is some > >>>>> time, minimal python knowledge and the will to help. > >>>>> > >>>>> Find me at 2pm GMT-3 (in one hour) at IRC > >>>>> http://w3af.org/community > >>>>> > >>>>> [0] https://github.com/andresriancho/w3af/issues/485 > >>>>> > >>>>> Regards, > >>>>> -- > >>>>> Andrés Riancho > >>>>> Project Leader at w3af - http://w3af.org/ > >>>>> Web Application Attack and Audit Framework > >>>>> Twitter: @w3af > >>>>> GPG: 0x93C344F3 > >>>>> > >>>>> > >>>>> > ------------------------------------------------------------------------------ > >>>>> Learn Graph Databases - Download FREE O'Reilly Book > >>>>> "Graph Databases" is the definitive new guide to graph databases and > their > >>>>> applications. Written by three acclaimed leaders in the field, > >>>>> this first edition is now available. Download your free book today! > >>>>> http://p.sf.net/sfu/13534_NeoTech > >>>>> _______________________________________________ > >>>>> W3af-develop mailing list > >>>>> W3a...@li... > >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop > >>> > >>> > >>> > >>> -- > >>> Andrés Riancho > >>> Project Leader at w3af - http://w3af.org/ > >>> Web Application Attack and Audit Framework > >>> Twitter: @w3af > >>> GPG: 0x93C344F3 > >>> > >>> > ------------------------------------------------------------------------------ > >>> Learn Graph Databases - Download FREE O'Reilly Book > >>> "Graph Databases" is the definitive new guide to graph databases and > their > >>> applications. Written by three acclaimed leaders in the field, > >>> this first edition is now available. Download your free book today! > >>> http://p.sf.net/sfu/13534_NeoTech > >>> _______________________________________________ > >>> W3af-develop mailing list > >>> W3a...@li... > >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > > > -- > > Andrés Riancho > > Project Leader at w3af - http://w3af.org/ > > Web Application Attack and Audit Framework > > Twitter: @w3af > > GPG: 0x93C344F3 > |
|
From: Robin W. <ro...@di...> - 2014-03-21 16:38:46
|
On 21 March 2014 16:35, Andres Riancho <and...@gm...> wrote: > You chickened out ;) ;) I don't have a Mac any more thank god. > On Fri, Mar 21, 2014 at 1:31 PM, Robin Wood <ro...@di...> wrote: >> On 21 March 2014 16:26, Andres Riancho <and...@gm...> wrote: >>> Robin, Leandro, >>> >>> Thanks for volunteering, to help please join the IRC [0] so we can >>> chat. I'm __apr__ at the #w3af channel, I'm available now and until >>> 3pm GMT-3 (aprox) >>> >> >> Wasn't volunteering just pointing out the time had passed but I just >> realised I mis-read it it as 2PM GMT to 3PM GMT not 2PM GMT-3. >> >> Robin >> >>> [0] http://w3af.org/community >>> >>> On Fri, Mar 21, 2014 at 1:15 PM, Leandro Reox <lea...@gm...> wrote: >>>> I can help you Andres >>>> >>>> On Mar 21, 2014 12:53 PM, "Andres Riancho" <and...@gm...> wrote: >>>>> >>>>> List, >>>>> >>>>> I'm trying to fix an ugly bug that only affects Mac users [0] and >>>>> because I don't have any installations of that OS it is really hard to >>>>> make any progress. Could someone give me a hand? All you need is some >>>>> time, minimal python knowledge and the will to help. >>>>> >>>>> Find me at 2pm GMT-3 (in one hour) at IRC >>>>> http://w3af.org/community >>>>> >>>>> [0] https://github.com/andresriancho/w3af/issues/485 >>>>> >>>>> Regards, >>>>> -- >>>>> Andrés Riancho >>>>> Project Leader at w3af - http://w3af.org/ >>>>> Web Application Attack and Audit Framework >>>>> Twitter: @w3af >>>>> GPG: 0x93C344F3 >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>> "Graph Databases" is the definitive new guide to graph databases and their >>>>> applications. Written by three acclaimed leaders in the field, >>>>> this first edition is now available. Download your free book today! >>>>> http://p.sf.net/sfu/13534_NeoTech >>>>> _______________________________________________ >>>>> W3af-develop mailing list >>>>> W3a...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>> >>> >>> >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> W3af-develop mailing list >>> W3a...@li... >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 |
|
From: Robin W. <ro...@di...> - 2014-03-21 16:38:16
|
On 21 March 2014 16:26, Andres Riancho <and...@gm...> wrote: > Robin, Leandro, > > Thanks for volunteering, to help please join the IRC [0] so we can > chat. I'm __apr__ at the #w3af channel, I'm available now and until > 3pm GMT-3 (aprox) > Wasn't volunteering just pointing out the time had passed but I just realised I mis-read it it as 2PM GMT to 3PM GMT not 2PM GMT-3. Robin > [0] http://w3af.org/community > > On Fri, Mar 21, 2014 at 1:15 PM, Leandro Reox <lea...@gm...> wrote: >> I can help you Andres >> >> On Mar 21, 2014 12:53 PM, "Andres Riancho" <and...@gm...> wrote: >>> >>> List, >>> >>> I'm trying to fix an ugly bug that only affects Mac users [0] and >>> because I don't have any installations of that OS it is really hard to >>> make any progress. Could someone give me a hand? All you need is some >>> time, minimal python knowledge and the will to help. >>> >>> Find me at 2pm GMT-3 (in one hour) at IRC >>> http://w3af.org/community >>> >>> [0] https://github.com/andresriancho/w3af/issues/485 >>> >>> Regards, >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> W3af-develop mailing list >>> W3a...@li... >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop |
|
From: Robin W. <ro...@di...> - 2014-03-21 16:36:27
|
On 21 March 2014 15:52, Andres Riancho <and...@gm...> wrote: > List, > > I'm trying to fix an ugly bug that only affects Mac users [0] and > because I don't have any installations of that OS it is really hard to > make any progress. Could someone give me a hand? All you need is some > time, minimal python knowledge and the will to help. > > Find me at 2pm GMT-3 (in one hour) at IRC > http://w3af.org/community > Don't know if you got anyone but this only just came through at 3:52 GMT so would explain things if you didn't. Robin > [0] https://github.com/andresriancho/w3af/issues/485 > > Regards, > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop |
|
From: Andres R. <and...@gm...> - 2014-03-21 16:36:12
|
You chickened out ;) ;) On Fri, Mar 21, 2014 at 1:31 PM, Robin Wood <ro...@di...> wrote: > On 21 March 2014 16:26, Andres Riancho <and...@gm...> wrote: >> Robin, Leandro, >> >> Thanks for volunteering, to help please join the IRC [0] so we can >> chat. I'm __apr__ at the #w3af channel, I'm available now and until >> 3pm GMT-3 (aprox) >> > > Wasn't volunteering just pointing out the time had passed but I just > realised I mis-read it it as 2PM GMT to 3PM GMT not 2PM GMT-3. > > Robin > >> [0] http://w3af.org/community >> >> On Fri, Mar 21, 2014 at 1:15 PM, Leandro Reox <lea...@gm...> wrote: >>> I can help you Andres >>> >>> On Mar 21, 2014 12:53 PM, "Andres Riancho" <and...@gm...> wrote: >>>> >>>> List, >>>> >>>> I'm trying to fix an ugly bug that only affects Mac users [0] and >>>> because I don't have any installations of that OS it is really hard to >>>> make any progress. Could someone give me a hand? All you need is some >>>> time, minimal python knowledge and the will to help. >>>> >>>> Find me at 2pm GMT-3 (in one hour) at IRC >>>> http://w3af.org/community >>>> >>>> [0] https://github.com/andresriancho/w3af/issues/485 >>>> >>>> Regards, >>>> -- >>>> Andrés Riancho >>>> Project Leader at w3af - http://w3af.org/ >>>> Web Application Attack and Audit Framework >>>> Twitter: @w3af >>>> GPG: 0x93C344F3 >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases and their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> W3af-develop mailing list >>>> W3a...@li... >>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-03-21 16:27:24
|
Robin, Leandro,
Thanks for volunteering, to help please join the IRC [0] so we can
chat. I'm __apr__ at the #w3af channel, I'm available now and until
3pm GMT-3 (aprox)
[0] http://w3af.org/community
On Fri, Mar 21, 2014 at 1:15 PM, Leandro Reox <lea...@gm...> wrote:
> I can help you Andres
>
> On Mar 21, 2014 12:53 PM, "Andres Riancho" <and...@gm...> wrote:
>>
>> List,
>>
>> I'm trying to fix an ugly bug that only affects Mac users [0] and
>> because I don't have any installations of that OS it is really hard to
>> make any progress. Could someone give me a hand? All you need is some
>> time, minimal python knowledge and the will to help.
>>
>> Find me at 2pm GMT-3 (in one hour) at IRC
>> http://w3af.org/community
>>
>> [0] https://github.com/andresriancho/w3af/issues/485
>>
>> Regards,
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Leandro R. <lea...@gm...> - 2014-03-21 16:15:09
|
I can help you Andres On Mar 21, 2014 12:53 PM, "Andres Riancho" <and...@gm...> wrote: > List, > > I'm trying to fix an ugly bug that only affects Mac users [0] and > because I don't have any installations of that OS it is really hard to > make any progress. Could someone give me a hand? All you need is some > time, minimal python knowledge and the will to help. > > Find me at 2pm GMT-3 (in one hour) at IRC > http://w3af.org/community > > [0] https://github.com/andresriancho/w3af/issues/485 > > Regards, > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > |
|
From: Andres R. <and...@gm...> - 2014-03-21 15:53:19
|
List,
I'm trying to fix an ugly bug that only affects Mac users [0] and
because I don't have any installations of that OS it is really hard to
make any progress. Could someone give me a hand? All you need is some
time, minimal python knowledge and the will to help.
Find me at 2pm GMT-3 (in one hour) at IRC
http://w3af.org/community
[0] https://github.com/andresriancho/w3af/issues/485
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Delaporte, E. C. V <del...@il...> - 2014-03-20 15:22:02
|
I'm switching out of lurk mode briefly to say that I'm delighted by the plan to add a REST API, and would be happy to assist.
This is something my team may well make use of in the future. We do most of our scanning with IBM Rational AppScan at the moment, but I've been considering w3af as a supplement for awhile.
Being able to automate w3af through a REST API would go a long way toward being able to scan a lot more often (our AppScan license is currently booked pretty solidly doing final acceptance scans).
Once the w3af scan REST API is in prototype stage, I should be able to find some things around here to test it against, and since the technology stack matches ours, I may also be able to submit patches for simple issues.
- Edward
Edward Delaporte
Lead Software Developer, CITES Software Development Group
University of Illinois at Urbana Champaign
Email: del...@il...
Lync/Cell Phone: 217-244-6420
________________________________________
From: w3a...@li... [w3a...@li...]
Sent: Thursday, March 20, 2014 10:09 AM
To: w3a...@li...
Subject: W3af-develop Digest, Vol 74, Issue 3
Send W3af-develop mailing list submissions to
w3a...@li...
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/w3af-develop
or, via email, send a message with subject or body 'help' to
w3a...@li...
You can reach the person managing the list at
w3a...@li...
When replying, please edit your Subject line so it is more specific
than "Re: Contents of W3af-develop digest..."
Today's Topics:
1. Bug fixing sprint (Andres Riancho)
2. REST API for w3af (Andres Riancho)
3. Re: REST API for w3af (Bipin Upadhyay)
4. Re: REST API for w3af (Andres Riancho)
5. Re: REST API for w3af (Bipin Upadhyay)
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Mar 2014 15:48:17 -0300
From: Andres Riancho <and...@gm...>
Subject: [W3af-develop] Bug fixing sprint
To: "w3a...@li..."
<W3a...@li...>
Message-ID:
<CA+1Rt65oi_H3G2nR9hgJGr=Tom...@ma...>
Content-Type: text/plain; charset=ISO-8859-1
List,
I've been fixing a lot of the bugs I prioritized last week, these
are the bugs blocking the next release:
* nosetests w3af/plugins/tests/audit/test_os_commanding.py is unstable
* Broken youtube links and url links
* AssertionError: Can NOT join a stopped consumer
* An exception was found while running audit.os_commanding at
mutant.py:_create_mutants_worker():274
* pybloomfiltermmap stack overflow crash on startup - Mac OSX blocker
And you can find them here [0]. If you're interested in helping
out with any of those, you're more than welcome to join the w3af
channel at freenode and speak up!
[0] https://github.com/andresriancho/w3af/issues?labels=bug&milestone=7&state=open
Regards,
--
Andr?s Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------
Message: 2
Date: Thu, 20 Mar 2014 11:47:00 -0300
From: Andres Riancho <and...@gm...>
Subject: [W3af-develop] REST API for w3af
To: "w3a...@li..."
<w3a...@li...>,
"w3a...@li..."
<W3a...@li...>
Message-ID:
<CA+1Rt67yxjGOXX3dBAC0tYi3UJ=_V9...@ma...>
Content-Type: text/plain; charset=ISO-8859-1
Lists,
Talking with different users off-list, I've noticed that the
advanced users want to integrate w3af with other tools, and while this
is possible today (w3af console script + XML output) it is not the
best approach.
The world is moving towards REST APIs, and we're going there too.
A REST API allows users to spawn a w3af server in their datacenter and
have it run scans of all their web applications, calling it remotely
from continuous integration / delivery systems, etc.
w3afRemote [1] was an innovative project built by Deb some time
ago, which had the main goals but a different technology stack:
xmlrpc. Together with Deb we've decided to code a REST API wrapper
around w3afCore/kb and make that part of the project. When this is
done you'll be able to run ./w3af_api and have a fully functioning
HTTP daemon exposing the REST API listening on localhost.
This part of the project is just starting [0]: we have the idea
and some time to dedicate to it. If you want to join us speak now!;
your input is very valuable.
[0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
[1] http://sourceforge.net/projects/w3afremote/
Regards,
--
Andr?s Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------
Message: 3
Date: Thu, 20 Mar 2014 16:01:25 +0100
From: Bipin Upadhyay <mux...@gm...>
Subject: Re: [W3af-develop] REST API for w3af
To: Andres Riancho <and...@gm...>
Cc: "w3a...@li..."
<w3a...@li...>,
"w3a...@li..."
<W3a...@li...>
Message-ID:
<CALCtKA+jQ0JJud_TTnL8eYPpqTsChVXzZ00kDejdoekX5uaX=A...@ma...>
Content-Type: text/plain; charset="utf-8"
This is good news, Andres!
Is the API list available somewhere for us to see before it's actually
implemented? It's been my personal experience that defining a REST API
properly is vital before getting started with the code. It may provoke a
purist vs non-purist REST debates, but it's mostly works in favor of the
project.
--
Bipin Upadhyay
http://projectbee.org/
On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <and...@gm...>wrote:
> Lists,
>
> Talking with different users off-list, I've noticed that the
> advanced users want to integrate w3af with other tools, and while this
> is possible today (w3af console script + XML output) it is not the
> best approach.
>
> The world is moving towards REST APIs, and we're going there too.
> A REST API allows users to spawn a w3af server in their datacenter and
> have it run scans of all their web applications, calling it remotely
> from continuous integration / delivery systems, etc.
>
> w3afRemote [1] was an innovative project built by Deb some time
> ago, which had the main goals but a different technology stack:
> xmlrpc. Together with Deb we've decided to code a REST API wrapper
> around w3afCore/kb and make that part of the project. When this is
> done you'll be able to run ./w3af_api and have a fully functioning
> HTTP daemon exposing the REST API listening on localhost.
>
> This part of the project is just starting [0]: we have the idea
> and some time to dedicate to it. If you want to join us speak now!;
> your input is very valuable.
>
> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
> [1] http://sourceforge.net/projects/w3afremote/
>
> Regards,
> --
> Andr?s Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> W3af-develop mailing list
> W3a...@li...
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 4
Date: Thu, 20 Mar 2014 12:06:51 -0300
From: Andres Riancho <and...@gm...>
Subject: Re: [W3af-develop] REST API for w3af
To: Bipin Upadhyay <mux...@gm...>
Cc: "w3a...@li..."
<w3a...@li...>,
"w3a...@li..."
<W3a...@li...>
Message-ID:
<CA+1Rt64j_pxb7xgL6v23=drz...@ma...>
Content-Type: text/plain; charset=ISO-8859-1
+1 on defining the API before coding.
For now nothing is really defined, any chance you've got the time to
draft the first version in the wiki?
On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <mux...@gm...> wrote:
> This is good news, Andres!
> Is the API list available somewhere for us to see before it's actually
> implemented? It's been my personal experience that defining a REST API
> properly is vital before getting started with the code. It may provoke a
> purist vs non-purist REST debates, but it's mostly works in favor of the
> project.
>
> --
> Bipin Upadhyay
> http://projectbee.org/
>
>
> On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <and...@gm...>
> wrote:
>>
>> Lists,
>>
>> Talking with different users off-list, I've noticed that the
>> advanced users want to integrate w3af with other tools, and while this
>> is possible today (w3af console script + XML output) it is not the
>> best approach.
>>
>> The world is moving towards REST APIs, and we're going there too.
>> A REST API allows users to spawn a w3af server in their datacenter and
>> have it run scans of all their web applications, calling it remotely
>> from continuous integration / delivery systems, etc.
>>
>> w3afRemote [1] was an innovative project built by Deb some time
>> ago, which had the main goals but a different technology stack:
>> xmlrpc. Together with Deb we've decided to code a REST API wrapper
>> around w3afCore/kb and make that part of the project. When this is
>> done you'll be able to run ./w3af_api and have a fully functioning
>> HTTP daemon exposing the REST API listening on localhost.
>>
>> This part of the project is just starting [0]: we have the idea
>> and some time to dedicate to it. If you want to join us speak now!;
>> your input is very valuable.
>>
>> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
>> [1] http://sourceforge.net/projects/w3afremote/
>>
>> Regards,
>> --
>> Andr?s Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>> _______________________________________________
>> W3af-develop mailing list
>> W3a...@li...
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andr?s Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------
Message: 5
Date: Thu, 20 Mar 2014 16:08:39 +0100
From: Bipin Upadhyay <mux...@gm...>
Subject: Re: [W3af-develop] REST API for w3af
To: Andres Riancho <and...@gm...>
Cc: "w3a...@li..."
<w3a...@li...>,
"w3a...@li..."
<W3a...@li...>
Message-ID:
<CAL...@ma...>
Content-Type: text/plain; charset="utf-8"
I'd love to, but haven't played with w3af in a while (change of jobs,
country)
I can assist you though.
--
Bipin Upadhyay
http://projectbee.org/
On Thu, Mar 20, 2014 at 4:06 PM, Andres Riancho <and...@gm...>wrote:
> +1 on defining the API before coding.
> For now nothing is really defined, any chance you've got the time to
> draft the first version in the wiki?
>
> On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <mux...@gm...>
> wrote:
> > This is good news, Andres!
> > Is the API list available somewhere for us to see before it's actually
> > implemented? It's been my personal experience that defining a REST API
> > properly is vital before getting started with the code. It may provoke a
> > purist vs non-purist REST debates, but it's mostly works in favor of the
> > project.
> >
> > --
> > Bipin Upadhyay
> > http://projectbee.org/
> >
> >
> > On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <
> and...@gm...>
> > wrote:
> >>
> >> Lists,
> >>
> >> Talking with different users off-list, I've noticed that the
> >> advanced users want to integrate w3af with other tools, and while this
> >> is possible today (w3af console script + XML output) it is not the
> >> best approach.
> >>
> >> The world is moving towards REST APIs, and we're going there too.
> >> A REST API allows users to spawn a w3af server in their datacenter and
> >> have it run scans of all their web applications, calling it remotely
> >> from continuous integration / delivery systems, etc.
> >>
> >> w3afRemote [1] was an innovative project built by Deb some time
> >> ago, which had the main goals but a different technology stack:
> >> xmlrpc. Together with Deb we've decided to code a REST API wrapper
> >> around w3afCore/kb and make that part of the project. When this is
> >> done you'll be able to run ./w3af_api and have a fully functioning
> >> HTTP daemon exposing the REST API listening on localhost.
> >>
> >> This part of the project is just starting [0]: we have the idea
> >> and some time to dedicate to it. If you want to join us speak now!;
> >> your input is very valuable.
> >>
> >> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
> >> [1] http://sourceforge.net/projects/w3afremote/
> >>
> >> Regards,
> >> --
> >> Andr?s Riancho
> >> Project Leader at w3af - http://w3af.org/
> >> Web Application Attack and Audit Framework
> >> Twitter: @w3af
> >> GPG: 0x93C344F3
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Learn Graph Databases - Download FREE O'Reilly Book
> >> "Graph Databases" is the definitive new guide to graph databases and
> their
> >> applications. Written by three acclaimed leaders in the field,
> >> this first edition is now available. Download your free book today!
> >> http://p.sf.net/sfu/13534_NeoTech
> >> _______________________________________________
> >> W3af-develop mailing list
> >> W3a...@li...
> >> https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
> >
>
>
>
> --
> Andr?s Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
------------------------------
_______________________________________________
W3af-develop mailing list
W3a...@li...
https://lists.sourceforge.net/lists/listinfo/w3af-develop
End of W3af-develop Digest, Vol 74, Issue 3
*******************************************
|
|
From: Bipin U. <mux...@gm...> - 2014-03-20 15:09:21
|
I'd love to, but haven't played with w3af in a while (change of jobs, country) I can assist you though. -- Bipin Upadhyay http://projectbee.org/ On Thu, Mar 20, 2014 at 4:06 PM, Andres Riancho <and...@gm...>wrote: > +1 on defining the API before coding. > For now nothing is really defined, any chance you've got the time to > draft the first version in the wiki? > > On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <mux...@gm...> > wrote: > > This is good news, Andres! > > Is the API list available somewhere for us to see before it's actually > > implemented? It's been my personal experience that defining a REST API > > properly is vital before getting started with the code. It may provoke a > > purist vs non-purist REST debates, but it's mostly works in favor of the > > project. > > > > -- > > Bipin Upadhyay > > http://projectbee.org/ > > > > > > On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho < > and...@gm...> > > wrote: > >> > >> Lists, > >> > >> Talking with different users off-list, I've noticed that the > >> advanced users want to integrate w3af with other tools, and while this > >> is possible today (w3af console script + XML output) it is not the > >> best approach. > >> > >> The world is moving towards REST APIs, and we're going there too. > >> A REST API allows users to spawn a w3af server in their datacenter and > >> have it run scans of all their web applications, calling it remotely > >> from continuous integration / delivery systems, etc. > >> > >> w3afRemote [1] was an innovative project built by Deb some time > >> ago, which had the main goals but a different technology stack: > >> xmlrpc. Together with Deb we've decided to code a REST API wrapper > >> around w3afCore/kb and make that part of the project. When this is > >> done you'll be able to run ./w3af_api and have a fully functioning > >> HTTP daemon exposing the REST API listening on localhost. > >> > >> This part of the project is just starting [0]: we have the idea > >> and some time to dedicate to it. If you want to join us speak now!; > >> your input is very valuable. > >> > >> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open > >> [1] http://sourceforge.net/projects/w3afremote/ > >> > >> Regards, > >> -- > >> Andrés Riancho > >> Project Leader at w3af - http://w3af.org/ > >> Web Application Attack and Audit Framework > >> Twitter: @w3af > >> GPG: 0x93C344F3 > >> > >> > >> > ------------------------------------------------------------------------------ > >> Learn Graph Databases - Download FREE O'Reilly Book > >> "Graph Databases" is the definitive new guide to graph databases and > their > >> applications. Written by three acclaimed leaders in the field, > >> this first edition is now available. Download your free book today! > >> http://p.sf.net/sfu/13534_NeoTech > >> _______________________________________________ > >> W3af-develop mailing list > >> W3a...@li... > >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > |
|
From: Andres R. <and...@gm...> - 2014-03-20 15:07:20
|
+1 on defining the API before coding. For now nothing is really defined, any chance you've got the time to draft the first version in the wiki? On Thu, Mar 20, 2014 at 12:01 PM, Bipin Upadhyay <mux...@gm...> wrote: > This is good news, Andres! > Is the API list available somewhere for us to see before it's actually > implemented? It's been my personal experience that defining a REST API > properly is vital before getting started with the code. It may provoke a > purist vs non-purist REST debates, but it's mostly works in favor of the > project. > > -- > Bipin Upadhyay > http://projectbee.org/ > > > On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <and...@gm...> > wrote: >> >> Lists, >> >> Talking with different users off-list, I've noticed that the >> advanced users want to integrate w3af with other tools, and while this >> is possible today (w3af console script + XML output) it is not the >> best approach. >> >> The world is moving towards REST APIs, and we're going there too. >> A REST API allows users to spawn a w3af server in their datacenter and >> have it run scans of all their web applications, calling it remotely >> from continuous integration / delivery systems, etc. >> >> w3afRemote [1] was an innovative project built by Deb some time >> ago, which had the main goals but a different technology stack: >> xmlrpc. Together with Deb we've decided to code a REST API wrapper >> around w3afCore/kb and make that part of the project. When this is >> done you'll be able to run ./w3af_api and have a fully functioning >> HTTP daemon exposing the REST API listening on localhost. >> >> This part of the project is just starting [0]: we have the idea >> and some time to dedicate to it. If you want to join us speak now!; >> your input is very valuable. >> >> [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open >> [1] http://sourceforge.net/projects/w3afremote/ >> >> Regards, >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> W3af-develop mailing list >> W3a...@li... >> https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Bipin U. <mux...@gm...> - 2014-03-20 15:01:52
|
This is good news, Andres! Is the API list available somewhere for us to see before it's actually implemented? It's been my personal experience that defining a REST API properly is vital before getting started with the code. It may provoke a purist vs non-purist REST debates, but it's mostly works in favor of the project. -- Bipin Upadhyay http://projectbee.org/ On Thu, Mar 20, 2014 at 3:47 PM, Andres Riancho <and...@gm...>wrote: > Lists, > > Talking with different users off-list, I've noticed that the > advanced users want to integrate w3af with other tools, and while this > is possible today (w3af console script + XML output) it is not the > best approach. > > The world is moving towards REST APIs, and we're going there too. > A REST API allows users to spawn a w3af server in their datacenter and > have it run scans of all their web applications, calling it remotely > from continuous integration / delivery systems, etc. > > w3afRemote [1] was an innovative project built by Deb some time > ago, which had the main goals but a different technology stack: > xmlrpc. Together with Deb we've decided to code a REST API wrapper > around w3afCore/kb and make that part of the project. When this is > done you'll be able to run ./w3af_api and have a fully functioning > HTTP daemon exposing the REST API listening on localhost. > > This part of the project is just starting [0]: we have the idea > and some time to dedicate to it. If you want to join us speak now!; > your input is very valuable. > > [0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open > [1] http://sourceforge.net/projects/w3afremote/ > > Regards, > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > |
|
From: Andres R. <and...@gm...> - 2014-03-20 14:47:29
|
Lists,
Talking with different users off-list, I've noticed that the
advanced users want to integrate w3af with other tools, and while this
is possible today (w3af console script + XML output) it is not the
best approach.
The world is moving towards REST APIs, and we're going there too.
A REST API allows users to spawn a w3af server in their datacenter and
have it run scans of all their web applications, calling it remotely
from continuous integration / delivery systems, etc.
w3afRemote [1] was an innovative project built by Deb some time
ago, which had the main goals but a different technology stack:
xmlrpc. Together with Deb we've decided to code a REST API wrapper
around w3afCore/kb and make that part of the project. When this is
done you'll be able to run ./w3af_api and have a fully functioning
HTTP daemon exposing the REST API listening on localhost.
This part of the project is just starting [0]: we have the idea
and some time to dedicate to it. If you want to join us speak now!;
your input is very valuable.
[0] https://github.com/andresriancho/w3af/issues?milestone=8&state=open
[1] http://sourceforge.net/projects/w3afremote/
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-03-19 18:48:44
|
List,
I've been fixing a lot of the bugs I prioritized last week, these
are the bugs blocking the next release:
* nosetests w3af/plugins/tests/audit/test_os_commanding.py is unstable
* Broken youtube links and url links
* AssertionError: Can NOT join a stopped consumer
* An exception was found while running audit.os_commanding at
mutant.py:_create_mutants_worker():274
* pybloomfiltermmap stack overflow crash on startup - Mac OSX blocker
And you can find them here [0]. If you're interested in helping
out with any of those, you're more than welcome to join the w3af
channel at freenode and speak up!
[0] https://github.com/andresriancho/w3af/issues?labels=bug&milestone=7&state=open
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Taras <ox...@ox...> - 2014-03-16 19:30:13
|
Andres, 07.03.2014 19:15, Andres Riancho пишет: > Don't want to re-open this, but just a FYI: > > https://github.com/axiak/pybloomfiltermmap/issues/29 > > In other words, 0.3.11 of pybloomfiltermmap installation works > flawlessly, while 0.3.12 fails with gcc compilation errors :( If we > would have had >= this would have been an issue for us too. If it would packaged by e.g. Debian maintainers it would be tested. But yes, topic is closed :-) > On Tue, Feb 18, 2014 at 2:15 PM, Taras <ox...@ox...> wrote: >> Andres, >> >> Ok, I've got your opinion. Let's close this discussion. >> >> 17.02.2014 00:04, Andres Riancho пишет: >> >>> Taras, >>> >>> On Sun, Feb 16, 2014 at 4:28 PM, Taras <ox...@ox...> wrote: >>>> >>>> Andres, >>>> >>>> I think it is my last attempt to change your opinion :) >>>> >>>> From the list of software you have provided I have found only flask, >>>> scrapy >>>> and tastypie in Ubuntu repo. Results of "apt-cache show" output are below >>>> inline. >>>> The problem is w3af built-in dependency checker duplicates >>>> OS (e.g. Debian/Ubuntu) packaging system. They can conflict in >>>> some cases. >>>> >>>> For example, I want to make package of w3af for Ubuntu 13.10. >>>> There is package python-xml version 3.2.0 in repository. At the same time >>>> w3af requires lxml version exactly 2.3.2. How can I make package of w3af? >>>> Should I add "sudo pip install" into preinstall script? >>> >>> >>> Most likely not, that doesn't sound well. I don't know the right >>> answer because I'm not packaging expert. >>> >>> The package maintainer can always apply a patch on top of the original >>> software to remove the dependency check completely (I think Luciano >>> did something like this [0]) is he believes it is the best thing to >>> do. Then he's taking the responsibility of that change. My >>> responsibility is to tell you that with these specific package >>> versions it works; then people do whatever they want with it. >>> >>> [0] http://packages.ubuntu.com/precise/w3af-console - search for >>> "diff" >>> >>>> Have you got any feedback from w3af package maintainers for Debian/Ubuntu >>>> and other distributions after you had add strict dependencies? >>> >>> >>> There are no active package maintainers for w3af. They even don't >>> care, or don't want to maintain this software; so no, no package >>> maintainer told me anything about the "==". As I said above, they can >>> apply a diff to the software before packaging it, as done by Luciano a >>> while ago (not only for the dependency). >>> >>>> Is it >>>> important for you that w3af can be installed via simple command "apt-get >>>> install w3af" or through Ubuntu Software Center with single mouse click? >>> >>> >>> Yes, and not. >>> >>> Some users would find it awesome to be able to install it from the >>> repo; but this has proven to be (at least for w3af) a failed path. I'm >>> not going to maintain a package for each distribution, because I don't >>> care enough as a user myself. >>> >>> Packagers who have come to the project have either failed to release >>> their initial package or released it and then moved their free time to >>> something else. In this process, they left very old versions of w3af >>> in the repositories of all linux distributions; which don't even make >>> sense for users. >>> >>> If users can install w3af with: >>> >>> git clone ... >>> cd w3af >>> ./w3af_console # Yields error with all dependencies to install >>> /tmp/install_w3af_dependencies.sh >>> >>> Then I'm happy. >>> >>>> If it is important for you then I recommend to add maintainers into this >>>> discussion and ask if it is easy for them to make package of w3af with >>>> such >>>> requirements. >>> >>> >>> My opinion is that they don't care about the w3af package. >>> >>>> If it is not so important and "git clone + pip install" is preferable way >>>> of >>>> installation then thread can be closed. >>> >>> >>> In the past I've thought that having w3af in the linux distribution >>> repos was THE BEST THING, now... not so much, because: >>> * Software packages are difficult to maintain >>> * Each time a new dependency is added the maintainer needs to create >>> a new package for that (python-foo) and then maintain that one also >>> * The whole process takes time, so from the minute I put something in >>> the repo to the time the new package is there it can be months; and >>> "hackers" love to use the latest and they will come to the repo >>> anyways >>> >>>> >>>> >>>>>>> Not 100% a workaround, this is also a best practice! >>>>>>> >>>>>>> https://devcenter.heroku.com/articles/python-pip#the-basics >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Could you please show at least one example of well-know software with >>>>>> such >>>>>> requirements? >>>>> >>>>> >>>>> >>>>> I went through this list of the Top10 Python projects by github (not >>>>> sure how they choose that) and found many that either had no >>>>> dependencies or were not in a format in which we could compare them >>>>> with what we were talking about. Then found the following: >>>>> >>>>> * Strict dependencies used for this part of the project: >>>>> https://github.com/torchbox/wagtail/blob/master/requirements-dev.txt >>>>> * Gt used for the user installable part: >>>>> https://github.com/torchbox/wagtail/blob/master/setup.py >>>>> >>>>> * These guys install whatever is available on pypi: >>>>> https://github.com/jmcarp/robobrowser/blob/master/requirements.txt >>>>> >>>>> * Flask installs Gt: >>>>> https://github.com/mitsuhiko/flask/blob/master/setup.py >>>> >>>> >>>> Depends: python-itsdangerous, python (>= 2.7), python-jinja2 (>= 2.4), >>>> python (<< 2.8), python-werkzeug (>= 0.8) >>>> Recommends: python-pkg-resources, python-blinker >>>> >>>> >>>>> * A mix between Gt and "whatever" is used here: >>>>> https://github.com/Eugeny/ajenti/blob/dev/requirements.txt >>>>> >>>>> * Scrapy uses a mix of GT and "whatever": >>>>> https://github.com/scrapy/scrapy/blob/master/requirements.txt >>>> >>>> >>>> >>>> Depends: python2.7, python (>= 2.7.1-0ubuntu2), python (<< 2.8), >>>> python-twisted-core, python-twisted-web, python-twisted-conch, >>>> python-twisted-mail, python-libxml2, python-boto, python-w3lib >>>> Recommends: python-lxml, python-guppy, python-django, ipython, >>>> python-pygments, python-imaging, python-mysqldb >>>> >>>> >>>>> * Django-tastypie uses the most complex of them all, which is rather >>>>> interesting and makes me wonder why they didn't use "==" instead: >>>>> https://github.com/toastdriven/django-tastypie/blob/master/setup.py . >>>>> This is what I mean: 'dateutil(>=1.5, !=2.0)' >>>>> >>>> Replaces: python-django-tastypie (<= 0.9.9-2) >>>> Depends: python (>= 2.7.1-0ubuntu2), python (<< 2.8), python-mimeparse >>>> (>= >>>> 0.1.3), python-dateutil (>= 1.5), python-django (>= 1.2) >>>> Suggests: python-yaml, python-lxml >>>> >>> >>> I get your point, >= seems to be the preferred way of doing it in the >>> debian repos. If a packager wants, he can do that with w3af and apply >>> a patch to disable dependency check for w3af in the packaging process. >>> That way he's happy, we don't need to code anything and are also >>> happy. >>> >>>>> The first one is an example of "==", the rest were just to show that >>>>> now everyone agrees with me on what should be put on the >>>>> requirements.txt file (or the setup.py, which acts like the same many >>>>> times). >>>>> >>>>> Here are some other links where it says that "==" is a best practice: >>>>> * >>>>> https://lincolnloop.com/django-best-practices/deployment/bootstrap.html >>>>> (Ctrl+f "Pin your dependencies") >>>>> * >>>>> >>>>> http://docs.dotcloud.com/tutorials/python/django/#specifying-requirements >>>>> (Ctrl+f "When you specify your requirements") >>>>> >>>>> And most importantly, the pip-installer user's guide: >>>>> * >>>>> >>>>> http://www.pip-installer.org/en/latest/user_guide.html#ensuring-repeatability >>>>> >>>>> "The requirements file was generated by pip freeze or you're sure it >>>>> only contains requirements that specify a specific version." >>>>> >>>>> When we're talking about including a specific version in >>>>> requirements.txt file or not, we're talking about repeatability. I >>>>> want to be strict about repeatability, forcing all libraries to be >>>>> exactly the ones I know will work because I've tested them in the CI; >>>>> and your point is that it would be easier for users to install with >>>>> less strict version requirements (which could lead to issues in some >>>>> cases). >>>>> >>>>> Sadly, you believe in one thing and I can't seem to convince you of >>>>> the benefits of ==, and the same applies the other way (I can't be >>>>> convinced of the benefits of >=). Unless I hear a definitive reason on >>>>> why == is bad, I won't change it. >>>>> >>>>>> By the way in w3af dev list I see fresh discussion about >>>>>> similar problems in Mageia Linux distro >>>>>> http://sourceforge.net/mailarchive/message.php?msg_id=31315478 >>>>> >>>>> >>>>> >>>>> I think that email thread was correctly answered? >>>>> >>>>>> >>>>>>>> 1. Bring back dependency check with >= condition >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Disagree with this, it will bring issues in the future, and it not a >>>>>>> best practice. >>>>>>> >>>>>>>> 2. We should separate core and plugins requirements >>>>>>>> 3. We should make possible to run w3af without installation of all >>>>>>>> plugins >>>>>>>> dependencies. It can be with special argument to w3af_console called >>>>>>>> "-l >>>>>>>> or >>>>>>>> --lazy". This parameter will force w3af not to check plugins >>>>>>>> dependencies >>>>>>>> (or even switch off dependency checker all!). >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> You can disable checks for the dependencies which are used in plugins, >>>>>>> not for the ones in the core or stuff will break in the middle of the >>>>>>> scan. >>>>>> >>>>>> >>>>>> >>>>>> If default behavior will not be changed why you are still against >>>>>> disabling it at all by special parameter? This parameter will be used >>>>>> only >>>>>> by package maintainers who specifies these dependencies in the package >>>>>> and >>>>>> geeks who don't want to install stuff they don't really need. >>>>> >>>>> >>>>> >>>>> Let me see if I understand, cause now I think I've read it >>>>> differently. Lets be specific so I don't imagine things: >>>>> * You will add a --lazy flag to w3af_console and w3af_gui >>>>> * You will pass the value of --lazy to the dependency_check [0] >>>>> function >>>>> * If --lazy is False (the default) things will continue as they are >>>>> now >>>>> * If --lazy is True (only if the user specifies that flag) then >>>>> instead of using strict version checking here [1] you will use ">=" >>>>> * If --lazy is True you'll user => here [2] >>>>> * You'll change the console and gtk-UI in such a way that when >>>>> enabling a plugin that requires a dependency that is not installed, it >>>>> will tell the user what it is required >>>>> * You'll make sure that it is possible to run w3af with different >>>>> versions of plugin dependencies >>>>> * You'll check that it is possible to run w3af even when some plugin >>>>> dependencies are not installed >>>>> * This has automated testing so that in the future I'm sure things >>>>> will continue to work as expected >>>>> >>>>> If that's it, I'm +1 on it! >>>>> >>>>> Sorry for not completely understanding your points in the previous >>>>> email. >>>>> >>>>> PS: Still can't believe you'll work on this; I believe it is useless >>>>> for 95% of the user base. Of course, if you believe it will be useful >>>>> for you, and it is well coded / tested and doesn't disturb the >>>>> defaults, I'll merge! >>>>> >>>>> [0] >>>>> >>>>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py >>>>> [1] >>>>> >>>>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py#L68 >>>>> [2] >>>>> >>>>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/helper_script.py >>>>> >>>>>> -- >>>>>> Taras >>>>>> https://www.oxdef.info >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Taras >>>> https://www.oxdef.info >>> >>> >>> >>> >> >> -- >> Taras >> https://www.oxdef.info > > > -- Taras https://www.oxdef.info |
|
From: Andres R. <and...@gm...> - 2014-03-10 20:21:56
|
I remember you wanted me to migrate to RST a while ago, now that RTD does the hosting and the automated build, it was a no-brainer :) On Mon, Mar 10, 2014 at 5:10 PM, Taras <ox...@ox...> wrote: > Imho, it is a great decision! :) > RST + git + readthedocs is much better solution then OO + ODT/HTML/PDF > > > 06.03.2014 22:08, Andres Riancho пишет: > >> List, >> >> After some analysis of the tools I was using to build the >> documentation, the poor update frequency, low visibility (nobody reads >> it?), and some other factors I've decided that: >> >> * w3af's documentation will be moved from the current >> ODT/HTML/PDF format to RST [3], which will be built and published at >> readthedocs.org >> >> * Translations will be deprecated. Contributors don't maintain >> them, and I can't (don't speak the language). >> >> If you believe I'm making a fatal move here, and this shouldn't be >> done, please let me know! >> >> Regards, >> >> [0] >> http://django-tastypie.readthedocs.org/en/latest/index.html#quick-start >> [1] http://django-tastypie.readthedocs.org/en/latest/bundles.html >> [2] http://django-tastypie.readthedocs.org/en/latest/index.html >> [3] >> https://raw.github.com/toastdriven/django-tastypie/master/docs/index.rst >> > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Taras <ox...@ox...> - 2014-03-10 20:10:44
|
Imho, it is a great decision! :) RST + git + readthedocs is much better solution then OO + ODT/HTML/PDF 06.03.2014 22:08, Andres Riancho пишет: > List, > > After some analysis of the tools I was using to build the > documentation, the poor update frequency, low visibility (nobody reads > it?), and some other factors I've decided that: > > * w3af's documentation will be moved from the current > ODT/HTML/PDF format to RST [3], which will be built and published at > readthedocs.org > > * Translations will be deprecated. Contributors don't maintain > them, and I can't (don't speak the language). > > If you believe I'm making a fatal move here, and this shouldn't be > done, please let me know! > > Regards, > > [0] http://django-tastypie.readthedocs.org/en/latest/index.html#quick-start > [1] http://django-tastypie.readthedocs.org/en/latest/bundles.html > [2] http://django-tastypie.readthedocs.org/en/latest/index.html > [3] https://raw.github.com/toastdriven/django-tastypie/master/docs/index.rst > -- Taras https://www.oxdef.info |
|
From: Andres R. <and...@gm...> - 2014-03-09 03:15:10
|
List,
The documentation is up and running, now at its own domain name
http://docs.w3af.org . Also added a small blog post with information
about the whole thing:
http://w3af.org/w3afs-documentation-now-at-readthedocs-org
An important piece of information you might be interested in is the
fact that if you send the first pull request with improvements for the
documentation, you'll get to decide which w3af feature from the issue
tracker [0] gets coded first!
[0] https://github.com/andresriancho/w3af/issues?milestone=&page=1&state=open
Regards,
On Fri, Mar 7, 2014 at 7:05 PM, Andres Riancho <and...@gm...> wrote:
> Since nobody complained, here is the first draft of the docs @ readthedocs:
> https://w3af.readthedocs.org/en/feature-module/index.html
>
> And the source code at our repository:
> https://github.com/andresriancho/w3af/tree/feature/module/doc/sphinx
>
> Will continue working on this tomorrow, hopefully finishing during the
> morning. Please report any bugs, typos, missing sections, etc. Thanks!
>
> Regards,
>
> On Thu, Mar 6, 2014 at 3:08 PM, Andres Riancho <and...@gm...> wrote:
>> List,
>>
>> After some analysis of the tools I was using to build the
>> documentation, the poor update frequency, low visibility (nobody reads
>> it?), and some other factors I've decided that:
>>
>> * w3af's documentation will be moved from the current
>> ODT/HTML/PDF format to RST [3], which will be built and published at
>> readthedocs.org
>>
>> * Translations will be deprecated. Contributors don't maintain
>> them, and I can't (don't speak the language).
>>
>> If you believe I'm making a fatal move here, and this shouldn't be
>> done, please let me know!
>>
>> Regards,
>>
>> [0] http://django-tastypie.readthedocs.org/en/latest/index.html#quick-start
>> [1] http://django-tastypie.readthedocs.org/en/latest/bundles.html
>> [2] http://django-tastypie.readthedocs.org/en/latest/index.html
>> [3] https://raw.github.com/toastdriven/django-tastypie/master/docs/index.rst
>> --
>> Andrés Riancho
>> Project Leader at w3af - http://w3af.org/
>> Web Application Attack and Audit Framework
>> Twitter: @w3af
>> GPG: 0x93C344F3
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-03-07 22:05:46
|
Since nobody complained, here is the first draft of the docs @ readthedocs:
https://w3af.readthedocs.org/en/feature-module/index.html
And the source code at our repository:
https://github.com/andresriancho/w3af/tree/feature/module/doc/sphinx
Will continue working on this tomorrow, hopefully finishing during the
morning. Please report any bugs, typos, missing sections, etc. Thanks!
Regards,
On Thu, Mar 6, 2014 at 3:08 PM, Andres Riancho <and...@gm...> wrote:
> List,
>
> After some analysis of the tools I was using to build the
> documentation, the poor update frequency, low visibility (nobody reads
> it?), and some other factors I've decided that:
>
> * w3af's documentation will be moved from the current
> ODT/HTML/PDF format to RST [3], which will be built and published at
> readthedocs.org
>
> * Translations will be deprecated. Contributors don't maintain
> them, and I can't (don't speak the language).
>
> If you believe I'm making a fatal move here, and this shouldn't be
> done, please let me know!
>
> Regards,
>
> [0] http://django-tastypie.readthedocs.org/en/latest/index.html#quick-start
> [1] http://django-tastypie.readthedocs.org/en/latest/bundles.html
> [2] http://django-tastypie.readthedocs.org/en/latest/index.html
> [3] https://raw.github.com/toastdriven/django-tastypie/master/docs/index.rst
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-03-07 15:15:35
|
Don't want to re-open this, but just a FYI: https://github.com/axiak/pybloomfiltermmap/issues/29 In other words, 0.3.11 of pybloomfiltermmap installation works flawlessly, while 0.3.12 fails with gcc compilation errors :( If we would have had >= this would have been an issue for us too. On Tue, Feb 18, 2014 at 2:15 PM, Taras <ox...@ox...> wrote: > Andres, > > Ok, I've got your opinion. Let's close this discussion. > > 17.02.2014 00:04, Andres Riancho пишет: > >> Taras, >> >> On Sun, Feb 16, 2014 at 4:28 PM, Taras <ox...@ox...> wrote: >>> >>> Andres, >>> >>> I think it is my last attempt to change your opinion :) >>> >>> From the list of software you have provided I have found only flask, >>> scrapy >>> and tastypie in Ubuntu repo. Results of "apt-cache show" output are below >>> inline. >>> The problem is w3af built-in dependency checker duplicates >>> OS (e.g. Debian/Ubuntu) packaging system. They can conflict in >>> some cases. >>> >>> For example, I want to make package of w3af for Ubuntu 13.10. >>> There is package python-xml version 3.2.0 in repository. At the same time >>> w3af requires lxml version exactly 2.3.2. How can I make package of w3af? >>> Should I add "sudo pip install" into preinstall script? >> >> >> Most likely not, that doesn't sound well. I don't know the right >> answer because I'm not packaging expert. >> >> The package maintainer can always apply a patch on top of the original >> software to remove the dependency check completely (I think Luciano >> did something like this [0]) is he believes it is the best thing to >> do. Then he's taking the responsibility of that change. My >> responsibility is to tell you that with these specific package >> versions it works; then people do whatever they want with it. >> >> [0] http://packages.ubuntu.com/precise/w3af-console - search for >> "diff" >> >>> Have you got any feedback from w3af package maintainers for Debian/Ubuntu >>> and other distributions after you had add strict dependencies? >> >> >> There are no active package maintainers for w3af. They even don't >> care, or don't want to maintain this software; so no, no package >> maintainer told me anything about the "==". As I said above, they can >> apply a diff to the software before packaging it, as done by Luciano a >> while ago (not only for the dependency). >> >>> Is it >>> important for you that w3af can be installed via simple command "apt-get >>> install w3af" or through Ubuntu Software Center with single mouse click? >> >> >> Yes, and not. >> >> Some users would find it awesome to be able to install it from the >> repo; but this has proven to be (at least for w3af) a failed path. I'm >> not going to maintain a package for each distribution, because I don't >> care enough as a user myself. >> >> Packagers who have come to the project have either failed to release >> their initial package or released it and then moved their free time to >> something else. In this process, they left very old versions of w3af >> in the repositories of all linux distributions; which don't even make >> sense for users. >> >> If users can install w3af with: >> >> git clone ... >> cd w3af >> ./w3af_console # Yields error with all dependencies to install >> /tmp/install_w3af_dependencies.sh >> >> Then I'm happy. >> >>> If it is important for you then I recommend to add maintainers into this >>> discussion and ask if it is easy for them to make package of w3af with >>> such >>> requirements. >> >> >> My opinion is that they don't care about the w3af package. >> >>> If it is not so important and "git clone + pip install" is preferable way >>> of >>> installation then thread can be closed. >> >> >> In the past I've thought that having w3af in the linux distribution >> repos was THE BEST THING, now... not so much, because: >> * Software packages are difficult to maintain >> * Each time a new dependency is added the maintainer needs to create >> a new package for that (python-foo) and then maintain that one also >> * The whole process takes time, so from the minute I put something in >> the repo to the time the new package is there it can be months; and >> "hackers" love to use the latest and they will come to the repo >> anyways >> >>> >>> >>>>>> Not 100% a workaround, this is also a best practice! >>>>>> >>>>>> https://devcenter.heroku.com/articles/python-pip#the-basics >>>>> >>>>> >>>>> >>>>> >>>>> Could you please show at least one example of well-know software with >>>>> such >>>>> requirements? >>>> >>>> >>>> >>>> I went through this list of the Top10 Python projects by github (not >>>> sure how they choose that) and found many that either had no >>>> dependencies or were not in a format in which we could compare them >>>> with what we were talking about. Then found the following: >>>> >>>> * Strict dependencies used for this part of the project: >>>> https://github.com/torchbox/wagtail/blob/master/requirements-dev.txt >>>> * Gt used for the user installable part: >>>> https://github.com/torchbox/wagtail/blob/master/setup.py >>>> >>>> * These guys install whatever is available on pypi: >>>> https://github.com/jmcarp/robobrowser/blob/master/requirements.txt >>>> >>>> * Flask installs Gt: >>>> https://github.com/mitsuhiko/flask/blob/master/setup.py >>> >>> >>> Depends: python-itsdangerous, python (>= 2.7), python-jinja2 (>= 2.4), >>> python (<< 2.8), python-werkzeug (>= 0.8) >>> Recommends: python-pkg-resources, python-blinker >>> >>> >>>> * A mix between Gt and "whatever" is used here: >>>> https://github.com/Eugeny/ajenti/blob/dev/requirements.txt >>>> >>>> * Scrapy uses a mix of GT and "whatever": >>>> https://github.com/scrapy/scrapy/blob/master/requirements.txt >>> >>> >>> >>> Depends: python2.7, python (>= 2.7.1-0ubuntu2), python (<< 2.8), >>> python-twisted-core, python-twisted-web, python-twisted-conch, >>> python-twisted-mail, python-libxml2, python-boto, python-w3lib >>> Recommends: python-lxml, python-guppy, python-django, ipython, >>> python-pygments, python-imaging, python-mysqldb >>> >>> >>>> * Django-tastypie uses the most complex of them all, which is rather >>>> interesting and makes me wonder why they didn't use "==" instead: >>>> https://github.com/toastdriven/django-tastypie/blob/master/setup.py . >>>> This is what I mean: 'dateutil(>=1.5, !=2.0)' >>>> >>> Replaces: python-django-tastypie (<= 0.9.9-2) >>> Depends: python (>= 2.7.1-0ubuntu2), python (<< 2.8), python-mimeparse >>> (>= >>> 0.1.3), python-dateutil (>= 1.5), python-django (>= 1.2) >>> Suggests: python-yaml, python-lxml >>> >> >> I get your point, >= seems to be the preferred way of doing it in the >> debian repos. If a packager wants, he can do that with w3af and apply >> a patch to disable dependency check for w3af in the packaging process. >> That way he's happy, we don't need to code anything and are also >> happy. >> >>>> The first one is an example of "==", the rest were just to show that >>>> now everyone agrees with me on what should be put on the >>>> requirements.txt file (or the setup.py, which acts like the same many >>>> times). >>>> >>>> Here are some other links where it says that "==" is a best practice: >>>> * >>>> https://lincolnloop.com/django-best-practices/deployment/bootstrap.html >>>> (Ctrl+f "Pin your dependencies") >>>> * >>>> >>>> http://docs.dotcloud.com/tutorials/python/django/#specifying-requirements >>>> (Ctrl+f "When you specify your requirements") >>>> >>>> And most importantly, the pip-installer user's guide: >>>> * >>>> >>>> http://www.pip-installer.org/en/latest/user_guide.html#ensuring-repeatability >>>> >>>> "The requirements file was generated by pip freeze or you're sure it >>>> only contains requirements that specify a specific version." >>>> >>>> When we're talking about including a specific version in >>>> requirements.txt file or not, we're talking about repeatability. I >>>> want to be strict about repeatability, forcing all libraries to be >>>> exactly the ones I know will work because I've tested them in the CI; >>>> and your point is that it would be easier for users to install with >>>> less strict version requirements (which could lead to issues in some >>>> cases). >>>> >>>> Sadly, you believe in one thing and I can't seem to convince you of >>>> the benefits of ==, and the same applies the other way (I can't be >>>> convinced of the benefits of >=). Unless I hear a definitive reason on >>>> why == is bad, I won't change it. >>>> >>>>> By the way in w3af dev list I see fresh discussion about >>>>> similar problems in Mageia Linux distro >>>>> http://sourceforge.net/mailarchive/message.php?msg_id=31315478 >>>> >>>> >>>> >>>> I think that email thread was correctly answered? >>>> >>>>> >>>>>>> 1. Bring back dependency check with >= condition >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Disagree with this, it will bring issues in the future, and it not a >>>>>> best practice. >>>>>> >>>>>>> 2. We should separate core and plugins requirements >>>>>>> 3. We should make possible to run w3af without installation of all >>>>>>> plugins >>>>>>> dependencies. It can be with special argument to w3af_console called >>>>>>> "-l >>>>>>> or >>>>>>> --lazy". This parameter will force w3af not to check plugins >>>>>>> dependencies >>>>>>> (or even switch off dependency checker all!). >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> You can disable checks for the dependencies which are used in plugins, >>>>>> not for the ones in the core or stuff will break in the middle of the >>>>>> scan. >>>>> >>>>> >>>>> >>>>> If default behavior will not be changed why you are still against >>>>> disabling it at all by special parameter? This parameter will be used >>>>> only >>>>> by package maintainers who specifies these dependencies in the package >>>>> and >>>>> geeks who don't want to install stuff they don't really need. >>>> >>>> >>>> >>>> Let me see if I understand, cause now I think I've read it >>>> differently. Lets be specific so I don't imagine things: >>>> * You will add a --lazy flag to w3af_console and w3af_gui >>>> * You will pass the value of --lazy to the dependency_check [0] >>>> function >>>> * If --lazy is False (the default) things will continue as they are >>>> now >>>> * If --lazy is True (only if the user specifies that flag) then >>>> instead of using strict version checking here [1] you will use ">=" >>>> * If --lazy is True you'll user => here [2] >>>> * You'll change the console and gtk-UI in such a way that when >>>> enabling a plugin that requires a dependency that is not installed, it >>>> will tell the user what it is required >>>> * You'll make sure that it is possible to run w3af with different >>>> versions of plugin dependencies >>>> * You'll check that it is possible to run w3af even when some plugin >>>> dependencies are not installed >>>> * This has automated testing so that in the future I'm sure things >>>> will continue to work as expected >>>> >>>> If that's it, I'm +1 on it! >>>> >>>> Sorry for not completely understanding your points in the previous >>>> email. >>>> >>>> PS: Still can't believe you'll work on this; I believe it is useless >>>> for 95% of the user base. Of course, if you believe it will be useful >>>> for you, and it is well coded / tested and doesn't disturb the >>>> defaults, I'll merge! >>>> >>>> [0] >>>> >>>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py >>>> [1] >>>> >>>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py#L68 >>>> [2] >>>> >>>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/helper_script.py >>>> >>>>> -- >>>>> Taras >>>>> https://www.oxdef.info >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> Taras >>> https://www.oxdef.info >> >> >> >> > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-03-06 18:09:09
|
List,
After some analysis of the tools I was using to build the
documentation, the poor update frequency, low visibility (nobody reads
it?), and some other factors I've decided that:
* w3af's documentation will be moved from the current
ODT/HTML/PDF format to RST [3], which will be built and published at
readthedocs.org
* Translations will be deprecated. Contributors don't maintain
them, and I can't (don't speak the language).
If you believe I'm making a fatal move here, and this shouldn't be
done, please let me know!
Regards,
[0] http://django-tastypie.readthedocs.org/en/latest/index.html#quick-start
[1] http://django-tastypie.readthedocs.org/en/latest/bundles.html
[2] http://django-tastypie.readthedocs.org/en/latest/index.html
[3] https://raw.github.com/toastdriven/django-tastypie/master/docs/index.rst
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Andres R. <and...@gm...> - 2014-03-06 17:12:45
|
Another idea I've been playing with during the last days is to split w3af into two different processes: * Main: plugins run here * HTTPClient and response parser Potentially use multiprocessing to connect both using a multiprocesing.Queue. The reasons to split w3af's architecture in two are: * The plugins have a moderate CPU usage, the parsers (html, pdf, etc.) use most of the CPU. Most workstations have more than one core, and we're only using one. Our HTTP request/response throughput is today limited by the CPU (parsing). If we move parsing to a different process we'll benefit from other core(s). To start with I believe the best is to have only one process doing HTTP+parsing; but the code should be written in such a way that we can have multiple processes for that. * We use threads to send/receive HTTP requests/responses, which is not the best way to do it. They consume resources (memory) and are not as fast as other options. Threads and gevent (to name one) don't play well together, so it would bring many issues to have gevent and threads in the same process. That's why I'll split in two processes and use threads for plugins and gevent for sending http requests. NOT going to be working on this during the following months, but wanted to hear your input and experiences with architectures like the one proposed. Regards, On Tue, Jun 5, 2012 at 10:03 AM, Andres Riancho <and...@gm...> wrote: > Taras, > > On Mon, Jun 4, 2012 at 5:00 PM, Taras <ox...@ox...> wrote: >> Andres, >> geventhttpclient looks very fast HTTP client! >> Did you also try Twisted? Can you make simple comparison in req/s for: >> >> 1. currently used in w3af solution (urllib+threads) >> 2. geventhttpclient >> 3. Twisted > > I tried Twisted, not good compared with what geventhttpclient has to offer. > >> >>> During the last hours I've been trying to find a faster HTTP >>> client to integrate into w3af, and also performed some experiments >>> [0]. After testing some implementations, clients, programming >>> methodologies, etc. It seems that I've found the winner: >>> geventhttpclient [1]. >>> >>> With my tests with different methods I was only able to achieve >>> ~650 req/s , but according to geventhttpclient's home page it can >>> achieve ~4000 req/s (when tested in my environment it was around ~3500 >>> req/s). This is VERY impressive. >>> >>> There are some bad things about this library, like the C code used >>> for parsing the HTTP response which could bring some issues to Windows >>> users; and its dependency on gevent which adds one more dependency to >>> w3af; but with such a huge perf enhancement... I don't care ;) >> >> geventhttpclient hasn't package even in Debian/Ubuntu :( > > Yep, it's a very new library, only released a couple of months ago, > >> Only gevent bindings for Python: >> >> $ aptitude search gevent >> p python-gevent > > With that + geventhttpclient's code (which can be used without the > HTTP response parser and thus making it a pure-python library) we > should be ok. I'll finish the error handling stuff and then I'm > starting with some experiments with this library to see what we can > get. > >> >>> >>> Has someone researched on the topic of fast HTTP clients? Opinions? >>> Ideas? >>> >>> [0] >>> http://sourceforge.net/apps/trac/w3af/browser/extras/measure_http?rev=5041 >>> [1] https://github.com/gwik/geventhttpclient >>> >>> Regards, >> >> >> >> -- >> Taras >> http://oxdef.info > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
|
From: Andres R. <and...@gm...> - 2014-03-06 13:23:49
|
List,
One of my enhancements for future versions of w3af is to start
using a real ORM inside w3af [0] and while I'm thinking about it I
would like your inputs. For those who don't know exactly where the ORM
would be used, here is a summary:
* HTTP requests and responses (at least the meta-data, not the body)
* Lists and sets which are stored in disk instead of memory
If we add a real ORM to w3af we would get these benefits:
* Less code we need to maintain
* Replace our custom ORM with something tens of thousands
other developers use. Much more tested and maintained
* Potentially fix issues like [1] which I haven't been able to
fix for at least 2 years
And the cons are:
* One more dependency, but hopefully we'll find something that
is pure python or very easy to install on all platforms. (Starting to
think like you Taras!)
Ideas?
[0] https://github.com/andresriancho/w3af/issues/1274
[1] https://github.com/andresriancho/w3af/issues/1080
Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
|
|
From: Taras <ox...@ox...> - 2014-03-04 17:49:46
|
Hi, Andres! Good result! I have no comments :) Parsing of HTML is like magic... 26.02.2014 17:43, Andres Riancho пишет: > List, Taras, > > After finding a bug where the context detection for XSS was > performing very poorly [0] (more than 3 minutes to run get_context on > an HTML) I decided to work a little bit on it and improve it. > > The performance improvement was amazing ;) The changes are well > documented here [1][2] > > When I started running the test suite for context detection took > 2.5 seconds, now after the performance improvements it takes 0.098 > seconds! Not bad, huh? > > @Taras: Since you wrote that code in the first place you might be > interested in taking a look at the improvements and correcting any > mistakes I might have made. Thanks! > > [0] https://github.com/andresriancho/w3af/issues/1171 > [1] https://github.com/andresriancho/w3af/commits/feature/module/w3af/core/data/context/context.py > [2] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/data/context/context.py > > Regards, > -- Taras https://www.oxdef.info |
28 messages has been excluded from this view by a project administrator.
