w3af-develop Mailing List for w3af (Page 8)
Status: Beta
Brought to you by:
andresriancho
You can subscribe to this list here.
2008 |
Jan
(20) |
Feb
(36) |
Mar
(45) |
Apr
(83) |
May
(100) |
Jun
(86) |
Jul
(68) |
Aug
(143) |
Sep
(41) |
Oct
(58) |
Nov
(47) |
Dec
(66) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(41) |
Feb
(33) |
Mar
(115) |
Apr
(61) |
May
(68) |
Jun
(83) |
Jul
(64) |
Aug
(33) |
Sep
(18) |
Oct
(62) |
Nov
(61) |
Dec
(24) |
2010 |
Jan
(38) |
Feb
(24) |
Mar
(56) |
Apr
(31) |
May
(19) |
Jun
(5) |
Jul
(13) |
Aug
(12) |
Sep
(34) |
Oct
(32) |
Nov
(37) |
Dec
(13) |
2011 |
Jan
(50) |
Feb
(56) |
Mar
(15) |
Apr
(12) |
May
(39) |
Jun
(16) |
Jul
(23) |
Aug
(7) |
Sep
(10) |
Oct
(32) |
Nov
(44) |
Dec
(40) |
2012 |
Jan
(40) |
Feb
(78) |
Mar
(21) |
Apr
(88) |
May
(56) |
Jun
(89) |
Jul
(55) |
Aug
(37) |
Sep
(31) |
Oct
(47) |
Nov
(13) |
Dec
(8) |
2013 |
Jan
(24) |
Feb
(20) |
Mar
(12) |
Apr
(23) |
May
(27) |
Jun
(22) |
Jul
(18) |
Aug
(14) |
Sep
(5) |
Oct
(7) |
Nov
(2) |
Dec
(1) |
2014 |
Jan
(7) |
Feb
(13) |
Mar
(52) |
Apr
(23) |
May
(3) |
Jun
|
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(1) |
Nov
|
Dec
|
2015 |
Jan
(4) |
Feb
(7) |
Mar
(8) |
Apr
(3) |
May
|
Jun
(2) |
Jul
(12) |
Aug
(15) |
Sep
(9) |
Oct
(3) |
Nov
(4) |
Dec
(10) |
2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
From: Andres R. <and...@gm...> - 2014-02-26 13:43:57
|
List, Taras, After finding a bug where the context detection for XSS was performing very poorly [0] (more than 3 minutes to run get_context on an HTML) I decided to work a little bit on it and improve it. The performance improvement was amazing ;) The changes are well documented here [1][2] When I started running the test suite for context detection took 2.5 seconds, now after the performance improvements it takes 0.098 seconds! Not bad, huh? @Taras: Since you wrote that code in the first place you might be interested in taking a look at the improvements and correcting any mistakes I might have made. Thanks! [0] https://github.com/andresriancho/w3af/issues/1171 [1] https://github.com/andresriancho/w3af/commits/feature/module/w3af/core/data/context/context.py [2] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/data/context/context.py Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-02-18 17:16:03
|
Andres, Ok, I've got your opinion. Let's close this discussion. 17.02.2014 00:04, Andres Riancho пишет: > Taras, > > On Sun, Feb 16, 2014 at 4:28 PM, Taras <ox...@ox...> wrote: >> Andres, >> >> I think it is my last attempt to change your opinion :) >> >> From the list of software you have provided I have found only flask, scrapy >> and tastypie in Ubuntu repo. Results of "apt-cache show" output are below >> inline. >> The problem is w3af built-in dependency checker duplicates >> OS (e.g. Debian/Ubuntu) packaging system. They can conflict in >> some cases. >> >> For example, I want to make package of w3af for Ubuntu 13.10. >> There is package python-xml version 3.2.0 in repository. At the same time >> w3af requires lxml version exactly 2.3.2. How can I make package of w3af? >> Should I add "sudo pip install" into preinstall script? > > Most likely not, that doesn't sound well. I don't know the right > answer because I'm not packaging expert. > > The package maintainer can always apply a patch on top of the original > software to remove the dependency check completely (I think Luciano > did something like this [0]) is he believes it is the best thing to > do. Then he's taking the responsibility of that change. My > responsibility is to tell you that with these specific package > versions it works; then people do whatever they want with it. > > [0] http://packages.ubuntu.com/precise/w3af-console - search for "diff" > >> Have you got any feedback from w3af package maintainers for Debian/Ubuntu >> and other distributions after you had add strict dependencies? > > There are no active package maintainers for w3af. They even don't > care, or don't want to maintain this software; so no, no package > maintainer told me anything about the "==". As I said above, they can > apply a diff to the software before packaging it, as done by Luciano a > while ago (not only for the dependency). > >> Is it >> important for you that w3af can be installed via simple command "apt-get >> install w3af" or through Ubuntu Software Center with single mouse click? > > Yes, and not. > > Some users would find it awesome to be able to install it from the > repo; but this has proven to be (at least for w3af) a failed path. I'm > not going to maintain a package for each distribution, because I don't > care enough as a user myself. > > Packagers who have come to the project have either failed to release > their initial package or released it and then moved their free time to > something else. In this process, they left very old versions of w3af > in the repositories of all linux distributions; which don't even make > sense for users. > > If users can install w3af with: > > git clone ... > cd w3af > ./w3af_console # Yields error with all dependencies to install > /tmp/install_w3af_dependencies.sh > > Then I'm happy. > >> If it is important for you then I recommend to add maintainers into this >> discussion and ask if it is easy for them to make package of w3af with such >> requirements. > > My opinion is that they don't care about the w3af package. > >> If it is not so important and "git clone + pip install" is preferable way of >> installation then thread can be closed. > > In the past I've thought that having w3af in the linux distribution > repos was THE BEST THING, now... not so much, because: > * Software packages are difficult to maintain > * Each time a new dependency is added the maintainer needs to create > a new package for that (python-foo) and then maintain that one also > * The whole process takes time, so from the minute I put something in > the repo to the time the new package is there it can be months; and > "hackers" love to use the latest and they will come to the repo > anyways > >> >> >>>>> Not 100% a workaround, this is also a best practice! >>>>> >>>>> https://devcenter.heroku.com/articles/python-pip#the-basics >>>> >>>> >>>> >>>> Could you please show at least one example of well-know software with >>>> such >>>> requirements? >>> >>> >>> I went through this list of the Top10 Python projects by github (not >>> sure how they choose that) and found many that either had no >>> dependencies or were not in a format in which we could compare them >>> with what we were talking about. Then found the following: >>> >>> * Strict dependencies used for this part of the project: >>> https://github.com/torchbox/wagtail/blob/master/requirements-dev.txt >>> * Gt used for the user installable part: >>> https://github.com/torchbox/wagtail/blob/master/setup.py >>> >>> * These guys install whatever is available on pypi: >>> https://github.com/jmcarp/robobrowser/blob/master/requirements.txt >>> >>> * Flask installs Gt: >>> https://github.com/mitsuhiko/flask/blob/master/setup.py >> >> Depends: python-itsdangerous, python (>= 2.7), python-jinja2 (>= 2.4), >> python (<< 2.8), python-werkzeug (>= 0.8) >> Recommends: python-pkg-resources, python-blinker >> >> >>> * A mix between Gt and "whatever" is used here: >>> https://github.com/Eugeny/ajenti/blob/dev/requirements.txt >>> >>> * Scrapy uses a mix of GT and "whatever": >>> https://github.com/scrapy/scrapy/blob/master/requirements.txt >> >> >> Depends: python2.7, python (>= 2.7.1-0ubuntu2), python (<< 2.8), >> python-twisted-core, python-twisted-web, python-twisted-conch, >> python-twisted-mail, python-libxml2, python-boto, python-w3lib >> Recommends: python-lxml, python-guppy, python-django, ipython, >> python-pygments, python-imaging, python-mysqldb >> >> >>> * Django-tastypie uses the most complex of them all, which is rather >>> interesting and makes me wonder why they didn't use "==" instead: >>> https://github.com/toastdriven/django-tastypie/blob/master/setup.py . >>> This is what I mean: 'dateutil(>=1.5, !=2.0)' >>> >> Replaces: python-django-tastypie (<= 0.9.9-2) >> Depends: python (>= 2.7.1-0ubuntu2), python (<< 2.8), python-mimeparse (>= >> 0.1.3), python-dateutil (>= 1.5), python-django (>= 1.2) >> Suggests: python-yaml, python-lxml >> > > I get your point, >= seems to be the preferred way of doing it in the > debian repos. If a packager wants, he can do that with w3af and apply > a patch to disable dependency check for w3af in the packaging process. > That way he's happy, we don't need to code anything and are also > happy. > >>> The first one is an example of "==", the rest were just to show that >>> now everyone agrees with me on what should be put on the >>> requirements.txt file (or the setup.py, which acts like the same many >>> times). >>> >>> Here are some other links where it says that "==" is a best practice: >>> * >>> https://lincolnloop.com/django-best-practices/deployment/bootstrap.html >>> (Ctrl+f "Pin your dependencies") >>> * >>> http://docs.dotcloud.com/tutorials/python/django/#specifying-requirements >>> (Ctrl+f "When you specify your requirements") >>> >>> And most importantly, the pip-installer user's guide: >>> * >>> http://www.pip-installer.org/en/latest/user_guide.html#ensuring-repeatability >>> >>> "The requirements file was generated by pip freeze or you're sure it >>> only contains requirements that specify a specific version." >>> >>> When we're talking about including a specific version in >>> requirements.txt file or not, we're talking about repeatability. I >>> want to be strict about repeatability, forcing all libraries to be >>> exactly the ones I know will work because I've tested them in the CI; >>> and your point is that it would be easier for users to install with >>> less strict version requirements (which could lead to issues in some >>> cases). >>> >>> Sadly, you believe in one thing and I can't seem to convince you of >>> the benefits of ==, and the same applies the other way (I can't be >>> convinced of the benefits of >=). Unless I hear a definitive reason on >>> why == is bad, I won't change it. >>> >>>> By the way in w3af dev list I see fresh discussion about >>>> similar problems in Mageia Linux distro >>>> http://sourceforge.net/mailarchive/message.php?msg_id=31315478 >>> >>> >>> I think that email thread was correctly answered? >>> >>>> >>>>>> 1. Bring back dependency check with >= condition >>>>> >>>>> >>>>> >>>>> Disagree with this, it will bring issues in the future, and it not a >>>>> best practice. >>>>> >>>>>> 2. We should separate core and plugins requirements >>>>>> 3. We should make possible to run w3af without installation of all >>>>>> plugins >>>>>> dependencies. It can be with special argument to w3af_console called >>>>>> "-l >>>>>> or >>>>>> --lazy". This parameter will force w3af not to check plugins >>>>>> dependencies >>>>>> (or even switch off dependency checker all!). >>>>> >>>>> >>>>> >>>>> You can disable checks for the dependencies which are used in plugins, >>>>> not for the ones in the core or stuff will break in the middle of the >>>>> scan. >>>> >>>> >>>> If default behavior will not be changed why you are still against >>>> disabling it at all by special parameter? This parameter will be used >>>> only >>>> by package maintainers who specifies these dependencies in the package >>>> and >>>> geeks who don't want to install stuff they don't really need. >>> >>> >>> Let me see if I understand, cause now I think I've read it >>> differently. Lets be specific so I don't imagine things: >>> * You will add a --lazy flag to w3af_console and w3af_gui >>> * You will pass the value of --lazy to the dependency_check [0] function >>> * If --lazy is False (the default) things will continue as they are now >>> * If --lazy is True (only if the user specifies that flag) then >>> instead of using strict version checking here [1] you will use ">=" >>> * If --lazy is True you'll user => here [2] >>> * You'll change the console and gtk-UI in such a way that when >>> enabling a plugin that requires a dependency that is not installed, it >>> will tell the user what it is required >>> * You'll make sure that it is possible to run w3af with different >>> versions of plugin dependencies >>> * You'll check that it is possible to run w3af even when some plugin >>> dependencies are not installed >>> * This has automated testing so that in the future I'm sure things >>> will continue to work as expected >>> >>> If that's it, I'm +1 on it! >>> >>> Sorry for not completely understanding your points in the previous email. >>> >>> PS: Still can't believe you'll work on this; I believe it is useless >>> for 95% of the user base. Of course, if you believe it will be useful >>> for you, and it is well coded / tested and doesn't disturb the >>> defaults, I'll merge! >>> >>> [0] >>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py >>> [1] >>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py#L68 >>> [2] >>> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/helper_script.py >>> >>>> -- >>>> Taras >>>> https://www.oxdef.info >>> >>> >>> >>> >> >> -- >> Taras >> https://www.oxdef.info > > > -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-02-16 20:05:26
|
Taras, On Sun, Feb 16, 2014 at 4:28 PM, Taras <ox...@ox...> wrote: > Andres, > > I think it is my last attempt to change your opinion :) > > From the list of software you have provided I have found only flask, scrapy > and tastypie in Ubuntu repo. Results of "apt-cache show" output are below > inline. > The problem is w3af built-in dependency checker duplicates > OS (e.g. Debian/Ubuntu) packaging system. They can conflict in > some cases. > > For example, I want to make package of w3af for Ubuntu 13.10. > There is package python-xml version 3.2.0 in repository. At the same time > w3af requires lxml version exactly 2.3.2. How can I make package of w3af? > Should I add "sudo pip install" into preinstall script? Most likely not, that doesn't sound well. I don't know the right answer because I'm not packaging expert. The package maintainer can always apply a patch on top of the original software to remove the dependency check completely (I think Luciano did something like this [0]) is he believes it is the best thing to do. Then he's taking the responsibility of that change. My responsibility is to tell you that with these specific package versions it works; then people do whatever they want with it. [0] http://packages.ubuntu.com/precise/w3af-console - search for "diff" > Have you got any feedback from w3af package maintainers for Debian/Ubuntu > and other distributions after you had add strict dependencies? There are no active package maintainers for w3af. They even don't care, or don't want to maintain this software; so no, no package maintainer told me anything about the "==". As I said above, they can apply a diff to the software before packaging it, as done by Luciano a while ago (not only for the dependency). > Is it > important for you that w3af can be installed via simple command "apt-get > install w3af" or through Ubuntu Software Center with single mouse click? Yes, and not. Some users would find it awesome to be able to install it from the repo; but this has proven to be (at least for w3af) a failed path. I'm not going to maintain a package for each distribution, because I don't care enough as a user myself. Packagers who have come to the project have either failed to release their initial package or released it and then moved their free time to something else. In this process, they left very old versions of w3af in the repositories of all linux distributions; which don't even make sense for users. If users can install w3af with: git clone ... cd w3af ./w3af_console # Yields error with all dependencies to install /tmp/install_w3af_dependencies.sh Then I'm happy. > If it is important for you then I recommend to add maintainers into this > discussion and ask if it is easy for them to make package of w3af with such > requirements. My opinion is that they don't care about the w3af package. > If it is not so important and "git clone + pip install" is preferable way of > installation then thread can be closed. In the past I've thought that having w3af in the linux distribution repos was THE BEST THING, now... not so much, because: * Software packages are difficult to maintain * Each time a new dependency is added the maintainer needs to create a new package for that (python-foo) and then maintain that one also * The whole process takes time, so from the minute I put something in the repo to the time the new package is there it can be months; and "hackers" love to use the latest and they will come to the repo anyways > > >>>> Not 100% a workaround, this is also a best practice! >>>> >>>> https://devcenter.heroku.com/articles/python-pip#the-basics >>> >>> >>> >>> Could you please show at least one example of well-know software with >>> such >>> requirements? >> >> >> I went through this list of the Top10 Python projects by github (not >> sure how they choose that) and found many that either had no >> dependencies or were not in a format in which we could compare them >> with what we were talking about. Then found the following: >> >> * Strict dependencies used for this part of the project: >> https://github.com/torchbox/wagtail/blob/master/requirements-dev.txt >> * Gt used for the user installable part: >> https://github.com/torchbox/wagtail/blob/master/setup.py >> >> * These guys install whatever is available on pypi: >> https://github.com/jmcarp/robobrowser/blob/master/requirements.txt >> >> * Flask installs Gt: >> https://github.com/mitsuhiko/flask/blob/master/setup.py > > Depends: python-itsdangerous, python (>= 2.7), python-jinja2 (>= 2.4), > python (<< 2.8), python-werkzeug (>= 0.8) > Recommends: python-pkg-resources, python-blinker > > >> * A mix between Gt and "whatever" is used here: >> https://github.com/Eugeny/ajenti/blob/dev/requirements.txt >> >> * Scrapy uses a mix of GT and "whatever": >> https://github.com/scrapy/scrapy/blob/master/requirements.txt > > > Depends: python2.7, python (>= 2.7.1-0ubuntu2), python (<< 2.8), > python-twisted-core, python-twisted-web, python-twisted-conch, > python-twisted-mail, python-libxml2, python-boto, python-w3lib > Recommends: python-lxml, python-guppy, python-django, ipython, > python-pygments, python-imaging, python-mysqldb > > >> * Django-tastypie uses the most complex of them all, which is rather >> interesting and makes me wonder why they didn't use "==" instead: >> https://github.com/toastdriven/django-tastypie/blob/master/setup.py . >> This is what I mean: 'dateutil(>=1.5, !=2.0)' >> > Replaces: python-django-tastypie (<= 0.9.9-2) > Depends: python (>= 2.7.1-0ubuntu2), python (<< 2.8), python-mimeparse (>= > 0.1.3), python-dateutil (>= 1.5), python-django (>= 1.2) > Suggests: python-yaml, python-lxml > I get your point, >= seems to be the preferred way of doing it in the debian repos. If a packager wants, he can do that with w3af and apply a patch to disable dependency check for w3af in the packaging process. That way he's happy, we don't need to code anything and are also happy. >> The first one is an example of "==", the rest were just to show that >> now everyone agrees with me on what should be put on the >> requirements.txt file (or the setup.py, which acts like the same many >> times). >> >> Here are some other links where it says that "==" is a best practice: >> * >> https://lincolnloop.com/django-best-practices/deployment/bootstrap.html >> (Ctrl+f "Pin your dependencies") >> * >> http://docs.dotcloud.com/tutorials/python/django/#specifying-requirements >> (Ctrl+f "When you specify your requirements") >> >> And most importantly, the pip-installer user's guide: >> * >> http://www.pip-installer.org/en/latest/user_guide.html#ensuring-repeatability >> >> "The requirements file was generated by pip freeze or you're sure it >> only contains requirements that specify a specific version." >> >> When we're talking about including a specific version in >> requirements.txt file or not, we're talking about repeatability. I >> want to be strict about repeatability, forcing all libraries to be >> exactly the ones I know will work because I've tested them in the CI; >> and your point is that it would be easier for users to install with >> less strict version requirements (which could lead to issues in some >> cases). >> >> Sadly, you believe in one thing and I can't seem to convince you of >> the benefits of ==, and the same applies the other way (I can't be >> convinced of the benefits of >=). Unless I hear a definitive reason on >> why == is bad, I won't change it. >> >>> By the way in w3af dev list I see fresh discussion about >>> similar problems in Mageia Linux distro >>> http://sourceforge.net/mailarchive/message.php?msg_id=31315478 >> >> >> I think that email thread was correctly answered? >> >>> >>>>> 1. Bring back dependency check with >= condition >>>> >>>> >>>> >>>> Disagree with this, it will bring issues in the future, and it not a >>>> best practice. >>>> >>>>> 2. We should separate core and plugins requirements >>>>> 3. We should make possible to run w3af without installation of all >>>>> plugins >>>>> dependencies. It can be with special argument to w3af_console called >>>>> "-l >>>>> or >>>>> --lazy". This parameter will force w3af not to check plugins >>>>> dependencies >>>>> (or even switch off dependency checker all!). >>>> >>>> >>>> >>>> You can disable checks for the dependencies which are used in plugins, >>>> not for the ones in the core or stuff will break in the middle of the >>>> scan. >>> >>> >>> If default behavior will not be changed why you are still against >>> disabling it at all by special parameter? This parameter will be used >>> only >>> by package maintainers who specifies these dependencies in the package >>> and >>> geeks who don't want to install stuff they don't really need. >> >> >> Let me see if I understand, cause now I think I've read it >> differently. Lets be specific so I don't imagine things: >> * You will add a --lazy flag to w3af_console and w3af_gui >> * You will pass the value of --lazy to the dependency_check [0] function >> * If --lazy is False (the default) things will continue as they are now >> * If --lazy is True (only if the user specifies that flag) then >> instead of using strict version checking here [1] you will use ">=" >> * If --lazy is True you'll user => here [2] >> * You'll change the console and gtk-UI in such a way that when >> enabling a plugin that requires a dependency that is not installed, it >> will tell the user what it is required >> * You'll make sure that it is possible to run w3af with different >> versions of plugin dependencies >> * You'll check that it is possible to run w3af even when some plugin >> dependencies are not installed >> * This has automated testing so that in the future I'm sure things >> will continue to work as expected >> >> If that's it, I'm +1 on it! >> >> Sorry for not completely understanding your points in the previous email. >> >> PS: Still can't believe you'll work on this; I believe it is useless >> for 95% of the user base. Of course, if you believe it will be useful >> for you, and it is well coded / tested and doesn't disturb the >> defaults, I'll merge! >> >> [0] >> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py >> [1] >> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py#L68 >> [2] >> https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/helper_script.py >> >>> -- >>> Taras >>> https://www.oxdef.info >> >> >> >> > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-02-16 19:29:08
|
Andres, I think it is my last attempt to change your opinion :) From the list of software you have provided I have found only flask, scrapy and tastypie in Ubuntu repo. Results of "apt-cache show" output are below inline. The problem is w3af built-in dependency checker duplicates OS (e.g. Debian/Ubuntu) packaging system. They can conflict in some cases. For example, I want to make package of w3af for Ubuntu 13.10. There is package python-xml version 3.2.0 in repository. At the same time w3af requires lxml version exactly 2.3.2. How can I make package of w3af? Should I add "sudo pip install" into preinstall script? Have you got any feedback from w3af package maintainers for Debian/Ubuntu and other distributions after you had add strict dependencies? Is it important for you that w3af can be installed via simple command "apt-get install w3af" or through Ubuntu Software Center with single mouse click? If it is important for you then I recommend to add maintainers into this discussion and ask if it is easy for them to make package of w3af with such requirements. If it is not so important and "git clone + pip install" is preferable way of installation then thread can be closed. >>> Not 100% a workaround, this is also a best practice! >>> >>> https://devcenter.heroku.com/articles/python-pip#the-basics >> >> >> Could you please show at least one example of well-know software with such >> requirements? > > I went through this list of the Top10 Python projects by github (not > sure how they choose that) and found many that either had no > dependencies or were not in a format in which we could compare them > with what we were talking about. Then found the following: > > * Strict dependencies used for this part of the project: > https://github.com/torchbox/wagtail/blob/master/requirements-dev.txt > * Gt used for the user installable part: > https://github.com/torchbox/wagtail/blob/master/setup.py > > * These guys install whatever is available on pypi: > https://github.com/jmcarp/robobrowser/blob/master/requirements.txt > > * Flask installs Gt: https://github.com/mitsuhiko/flask/blob/master/setup.py Depends: python-itsdangerous, python (>= 2.7), python-jinja2 (>= 2.4), python (<< 2.8), python-werkzeug (>= 0.8) Recommends: python-pkg-resources, python-blinker > * A mix between Gt and "whatever" is used here: > https://github.com/Eugeny/ajenti/blob/dev/requirements.txt > > * Scrapy uses a mix of GT and "whatever": > https://github.com/scrapy/scrapy/blob/master/requirements.txt Depends: python2.7, python (>= 2.7.1-0ubuntu2), python (<< 2.8), python-twisted-core, python-twisted-web, python-twisted-conch, python-twisted-mail, python-libxml2, python-boto, python-w3lib Recommends: python-lxml, python-guppy, python-django, ipython, python-pygments, python-imaging, python-mysqldb > * Django-tastypie uses the most complex of them all, which is rather > interesting and makes me wonder why they didn't use "==" instead: > https://github.com/toastdriven/django-tastypie/blob/master/setup.py . > This is what I mean: 'dateutil(>=1.5, !=2.0)' > Replaces: python-django-tastypie (<= 0.9.9-2) Depends: python (>= 2.7.1-0ubuntu2), python (<< 2.8), python-mimeparse (>= 0.1.3), python-dateutil (>= 1.5), python-django (>= 1.2) Suggests: python-yaml, python-lxml > The first one is an example of "==", the rest were just to show that > now everyone agrees with me on what should be put on the > requirements.txt file (or the setup.py, which acts like the same many > times). > > Here are some other links where it says that "==" is a best practice: > * https://lincolnloop.com/django-best-practices/deployment/bootstrap.html > (Ctrl+f "Pin your dependencies") > * http://docs.dotcloud.com/tutorials/python/django/#specifying-requirements > (Ctrl+f "When you specify your requirements") > > And most importantly, the pip-installer user's guide: > * http://www.pip-installer.org/en/latest/user_guide.html#ensuring-repeatability > > "The requirements file was generated by pip freeze or you're sure it > only contains requirements that specify a specific version." > > When we're talking about including a specific version in > requirements.txt file or not, we're talking about repeatability. I > want to be strict about repeatability, forcing all libraries to be > exactly the ones I know will work because I've tested them in the CI; > and your point is that it would be easier for users to install with > less strict version requirements (which could lead to issues in some > cases). > > Sadly, you believe in one thing and I can't seem to convince you of > the benefits of ==, and the same applies the other way (I can't be > convinced of the benefits of >=). Unless I hear a definitive reason on > why == is bad, I won't change it. > >> By the way in w3af dev list I see fresh discussion about >> similar problems in Mageia Linux distro >> http://sourceforge.net/mailarchive/message.php?msg_id=31315478 > > I think that email thread was correctly answered? > >> >>>> 1. Bring back dependency check with >= condition >>> >>> >>> Disagree with this, it will bring issues in the future, and it not a >>> best practice. >>> >>>> 2. We should separate core and plugins requirements >>>> 3. We should make possible to run w3af without installation of all >>>> plugins >>>> dependencies. It can be with special argument to w3af_console called "-l >>>> or >>>> --lazy". This parameter will force w3af not to check plugins dependencies >>>> (or even switch off dependency checker all!). >>> >>> >>> You can disable checks for the dependencies which are used in plugins, >>> not for the ones in the core or stuff will break in the middle of the >>> scan. >> >> If default behavior will not be changed why you are still against >> disabling it at all by special parameter? This parameter will be used only >> by package maintainers who specifies these dependencies in the package and >> geeks who don't want to install stuff they don't really need. > > Let me see if I understand, cause now I think I've read it > differently. Lets be specific so I don't imagine things: > * You will add a --lazy flag to w3af_console and w3af_gui > * You will pass the value of --lazy to the dependency_check [0] function > * If --lazy is False (the default) things will continue as they are now > * If --lazy is True (only if the user specifies that flag) then > instead of using strict version checking here [1] you will use ">=" > * If --lazy is True you'll user => here [2] > * You'll change the console and gtk-UI in such a way that when > enabling a plugin that requires a dependency that is not installed, it > will tell the user what it is required > * You'll make sure that it is possible to run w3af with different > versions of plugin dependencies > * You'll check that it is possible to run w3af even when some plugin > dependencies are not installed > * This has automated testing so that in the future I'm sure things > will continue to work as expected > > If that's it, I'm +1 on it! > > Sorry for not completely understanding your points in the previous email. > > PS: Still can't believe you'll work on this; I believe it is useless > for 95% of the user base. Of course, if you believe it will be useful > for you, and it is well coded / tested and doesn't disturb the > defaults, I'll merge! > > [0] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py > [1] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py#L68 > [2] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/helper_script.py > >> -- >> Taras >> https://www.oxdef.info > > > -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-02-16 14:05:44
|
On Sun, Feb 16, 2014 at 8:27 AM, Taras <ox...@ox...> wrote: > Andres, > > >> Not 100% a workaround, this is also a best practice! >> >> https://devcenter.heroku.com/articles/python-pip#the-basics > > > Could you please show at least one example of well-know software with such > requirements? I went through this list of the Top10 Python projects by github (not sure how they choose that) and found many that either had no dependencies or were not in a format in which we could compare them with what we were talking about. Then found the following: * Strict dependencies used for this part of the project: https://github.com/torchbox/wagtail/blob/master/requirements-dev.txt * Gt used for the user installable part: https://github.com/torchbox/wagtail/blob/master/setup.py * These guys install whatever is available on pypi: https://github.com/jmcarp/robobrowser/blob/master/requirements.txt * Flask installs Gt: https://github.com/mitsuhiko/flask/blob/master/setup.py * A mix between Gt and "whatever" is used here: https://github.com/Eugeny/ajenti/blob/dev/requirements.txt * Scrapy uses a mix of GT and "whatever": https://github.com/scrapy/scrapy/blob/master/requirements.txt * Django-tastypie uses the most complex of them all, which is rather interesting and makes me wonder why they didn't use "==" instead: https://github.com/toastdriven/django-tastypie/blob/master/setup.py . This is what I mean: 'dateutil(>=1.5, !=2.0)' The first one is an example of "==", the rest were just to show that now everyone agrees with me on what should be put on the requirements.txt file (or the setup.py, which acts like the same many times). Here are some other links where it says that "==" is a best practice: * https://lincolnloop.com/django-best-practices/deployment/bootstrap.html (Ctrl+f "Pin your dependencies") * http://docs.dotcloud.com/tutorials/python/django/#specifying-requirements (Ctrl+f "When you specify your requirements") And most importantly, the pip-installer user's guide: * http://www.pip-installer.org/en/latest/user_guide.html#ensuring-repeatability "The requirements file was generated by pip freeze or you're sure it only contains requirements that specify a specific version." When we're talking about including a specific version in requirements.txt file or not, we're talking about repeatability. I want to be strict about repeatability, forcing all libraries to be exactly the ones I know will work because I've tested them in the CI; and your point is that it would be easier for users to install with less strict version requirements (which could lead to issues in some cases). Sadly, you believe in one thing and I can't seem to convince you of the benefits of ==, and the same applies the other way (I can't be convinced of the benefits of >=). Unless I hear a definitive reason on why == is bad, I won't change it. > By the way in w3af dev list I see fresh discussion about > similar problems in Mageia Linux distro > http://sourceforge.net/mailarchive/message.php?msg_id=31315478 I think that email thread was correctly answered? > >>> 1. Bring back dependency check with >= condition >> >> >> Disagree with this, it will bring issues in the future, and it not a >> best practice. >> >>> 2. We should separate core and plugins requirements >>> 3. We should make possible to run w3af without installation of all >>> plugins >>> dependencies. It can be with special argument to w3af_console called "-l >>> or >>> --lazy". This parameter will force w3af not to check plugins dependencies >>> (or even switch off dependency checker all!). >> >> >> You can disable checks for the dependencies which are used in plugins, >> not for the ones in the core or stuff will break in the middle of the >> scan. > > If default behavior will not be changed why you are still against > disabling it at all by special parameter? This parameter will be used only > by package maintainers who specifies these dependencies in the package and > geeks who don't want to install stuff they don't really need. Let me see if I understand, cause now I think I've read it differently. Lets be specific so I don't imagine things: * You will add a --lazy flag to w3af_console and w3af_gui * You will pass the value of --lazy to the dependency_check [0] function * If --lazy is False (the default) things will continue as they are now * If --lazy is True (only if the user specifies that flag) then instead of using strict version checking here [1] you will use ">=" * If --lazy is True you'll user => here [2] * You'll change the console and gtk-UI in such a way that when enabling a plugin that requires a dependency that is not installed, it will tell the user what it is required * You'll make sure that it is possible to run w3af with different versions of plugin dependencies * You'll check that it is possible to run w3af even when some plugin dependencies are not installed * This has automated testing so that in the future I'm sure things will continue to work as expected If that's it, I'm +1 on it! Sorry for not completely understanding your points in the previous email. PS: Still can't believe you'll work on this; I believe it is useless for 95% of the user base. Of course, if you believe it will be useful for you, and it is well coded / tested and doesn't disturb the defaults, I'll merge! [0] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py [1] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/dependency_check.py#L68 [2] https://github.com/andresriancho/w3af/blob/feature/module/w3af/core/controllers/dependency_check/helper_script.py > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-02-16 11:27:51
|
Andres, > Not 100% a workaround, this is also a best practice! > > https://devcenter.heroku.com/articles/python-pip#the-basics Could you please show at least one example of well-know software with such requirements? By the way in w3af dev list I see fresh discussion about similar problems in Mageia Linux distro http://sourceforge.net/mailarchive/message.php?msg_id=31315478 >> 1. Bring back dependency check with >= condition > > Disagree with this, it will bring issues in the future, and it not a > best practice. > >> 2. We should separate core and plugins requirements >> 3. We should make possible to run w3af without installation of all plugins >> dependencies. It can be with special argument to w3af_console called "-l or >> --lazy". This parameter will force w3af not to check plugins dependencies >> (or even switch off dependency checker all!). > > You can disable checks for the dependencies which are used in plugins, > not for the ones in the core or stuff will break in the middle of the > scan. If default behavior will not be changed why you are still against disabling it at all by special parameter? This parameter will be used only by package maintainers who specifies these dependencies in the package and geeks who don't want to install stuff they don't really need. -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-02-15 21:36:48
|
Taras, On Sat, Feb 15, 2014 at 5:52 PM, Taras <ox...@ox...> wrote: > Andres, > > may be we will add to CC Luciano (lu...@de...) who is maintainer of > w3af package in Debian? > > >>>> * The pdfminer issue occurred because we had this requirement: >>>> pdfminer (no version requirement) >>>> * If we specify something like: pdfminer>=3, then we're fine until >>>> they release version 4 which breaks their API and w3af breaks >>> >>> >>> Breaking of API is unusual and infrequent case in normal software. >> >> >> Agreed, but we already found one issue with this and don't want to >> find more in the future. > > How old is w3af project? How many times has this (breaking of 3rd party API) > happened? If it's the first one then may be it's too excessive workaround? Not 100% a workaround, this is also a best practice! https://devcenter.heroku.com/articles/python-pip#the-basics > Of course it is possible that we will have some similar issues in the > future. But as for me it is not reason to specify exact versions of > dependencies. It is reason to keep really small number of core dependencies. > And these dependencies should be well-maintained packages. >> I thought that specifying the exact version >> was the best solution, but at least for what you're saying, it is not. >> Can you propose a solution that will be bullet-proof? > > > My view on w3af dependency management is: > > 1. Bring back dependency check with >= condition Disagree with this, it will bring issues in the future, and it not a best practice. > 2. We should separate core and plugins requirements > 3. We should make possible to run w3af without installation of all plugins > dependencies. It can be with special argument to w3af_console called "-l or > --lazy". This parameter will force w3af not to check plugins dependencies > (or even switch off dependency checker all!). You can disable checks for the dependencies which are used in plugins, not for the ones in the core or stuff will break in the middle of the scan. > If user specifies plugin with > not installed external dependency w3af will show message how to install it > using e.g. pip. Without such parameter w3af will run as currently. **So > default behavior will not be changed.** > 4. Such improvement will make possible to make easier e.g. Debian/Ubuntu > package of w3af. Core dependencies will be in "Depends:" section and plugins > dependencies will be "Recommends:" section. If there is no some plugin > dependency in repository - no problem because user can install it via pip. > > If you agree with this I will code it. I agree that for some users (like you) it will improve things, and if the default behavior is still the same: the 1. is not applied but 2 to 4 are, then I would accept and merge the pull request. Please create your PR for the feature/module branch, Thanks! >> >>> In another case it will break current package system ideology in Linux >>> distros. >> >> >> Not sure why you say that? Could you please explain? >> >>> Just try to find e.g. in Ubuntu repository package with such strict >>> dependencies. It will be difficult task! >> >> >> Which command do I run to get such a list? > > I simply have tried to look on some well-known Python based packages like > Sonata, Inkscape, Calibre, Exaile. Same is true for usual software: > > $ apt-cache show firefox > > >> Also, there should be a way in ubuntu packaging to solve this issue... I >> believe its not a big >> deal and we're not unique. I bet there are many packages which are in >> this dilemma: >> >> * Package A depends on library X version 1 >> * Package B depends on library X version 2 >> * A won't work with X.2 >> * B won't work with X.1 > > > >> We certainly need a packaging expert for solving this part of the >> discussion! I don't know enough about it, or care enough to learn. >> >> If in the future someone wants to package w3af, I'll try to remember >> this discussion and let him know. >> >>> >>>> * If we specify the version: pdfminer==3, then we're fine for ever. >>> >>> >>> Yes, we're fine, but **who** and **how** will be able to install and use >>> w3af? Virtualenv is not solution for the end user. Only for development. >> >> >> Who? Every user >> How? >> >> git clone ... >> cd w3af >> ./w3af_console >> <follow steps in output> >> >> The only problem I see here is that when following the steps in the >> output this might happen: >> * User installed in the past package A version 2 using apt-get install >> * User installs w3af using the instructions above >> * w3af requires A version 3 >> * By following the instructions, A.2 is overwritten by A.3 >> >> Is that what is worrying you? > > > I really worry about how to run and package w3af without > painful resolving dependencies in Debian/Ubuntu system. > It should be as easy as installing any other well know software. > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-02-15 20:52:22
|
Andres, may be we will add to CC Luciano (lu...@de...) who is maintainer of w3af package in Debian? >>> * The pdfminer issue occurred because we had this requirement: >>> pdfminer (no version requirement) >>> * If we specify something like: pdfminer>=3, then we're fine until >>> they release version 4 which breaks their API and w3af breaks >> >> Breaking of API is unusual and infrequent case in normal software. > > Agreed, but we already found one issue with this and don't want to > find more in the future. How old is w3af project? How many times has this (breaking of 3rd party API) happened? If it's the first one then may be it's too excessive workaround? Of course it is possible that we will have some similar issues in the future. But as for me it is not reason to specify exact versions of dependencies. It is reason to keep really small number of core dependencies. And these dependencies should be well-maintained packages. > I thought that specifying the exact version > was the best solution, but at least for what you're saying, it is not. > Can you propose a solution that will be bullet-proof? My view on w3af dependency management is: 1. Bring back dependency check with >= condition 2. We should separate core and plugins requirements 3. We should make possible to run w3af without installation of all plugins dependencies. It can be with special argument to w3af_console called "-l or --lazy". This parameter will force w3af not to check plugins dependencies (or even switch off dependency checker all!). If user specifies plugin with not installed external dependency w3af will show message how to install it using e.g. pip. Without such parameter w3af will run as currently. **So default behavior will not be changed.** 4. Such improvement will make possible to make easier e.g. Debian/Ubuntu package of w3af. Core dependencies will be in "Depends:" section and plugins dependencies will be "Recommends:" section. If there is no some plugin dependency in repository - no problem because user can install it via pip. If you agree with this I will code it. > >> In another case it will break current package system ideology in Linux distros. > > Not sure why you say that? Could you please explain? > >> Just try to find e.g. in Ubuntu repository package with such strict >> dependencies. It will be difficult task! > > Which command do I run to get such a list? I simply have tried to look on some well-known Python based packages like Sonata, Inkscape, Calibre, Exaile. Same is true for usual software: $ apt-cache show firefox > Also, there should be a way in ubuntu packaging to solve this issue... I believe its not a big > deal and we're not unique. I bet there are many packages which are in > this dilemma: > > * Package A depends on library X version 1 > * Package B depends on library X version 2 > * A won't work with X.2 > * B won't work with X.1 > We certainly need a packaging expert for solving this part of the > discussion! I don't know enough about it, or care enough to learn. > > If in the future someone wants to package w3af, I'll try to remember > this discussion and let him know. > >> >>> * If we specify the version: pdfminer==3, then we're fine for ever. >> >> Yes, we're fine, but **who** and **how** will be able to install and use >> w3af? Virtualenv is not solution for the end user. Only for development. > > Who? Every user > How? > > git clone ... > cd w3af > ./w3af_console > <follow steps in output> > > The only problem I see here is that when following the steps in the > output this might happen: > * User installed in the past package A version 2 using apt-get install > * User installs w3af using the instructions above > * w3af requires A version 3 > * By following the instructions, A.2 is overwritten by A.3 > > Is that what is worrying you? I really worry about how to run and package w3af without painful resolving dependencies in Debian/Ubuntu system. It should be as easy as installing any other well know software. -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-02-12 16:53:18
|
On Wed, Feb 12, 2014 at 1:15 PM, Taras <ox...@ox...> wrote: > Andres, > > Sorry for delayed reply. > > >> Not sure if I'm understanding your point. >> >> * The pdfminer issue occurred because we had this requirement: >> pdfminer (no version requirement) >> * If we specify something like: pdfminer>=3, then we're fine until >> they release version 4 which breaks their API and w3af breaks > > Breaking of API is unusual and infrequent case in normal software. Agreed, but we already found one issue with this and don't want to find more in the future. I thought that specifying the exact version was the best solution, but at least for what you're saying, it is not. Can you propose a solution that will be bullet-proof? > In another case it will break current package system ideology in Linux distros. Not sure why you say that? Could you please explain? > Just try to find e.g. in Ubuntu repository package with such strict > dependencies. It will be difficult task! Which command do I run to get such a list? Also, there should be a way in ubuntu packaging to solve this issue... I believe its not a big deal and we're not unique. I bet there are many packages which are in this dilemma: * Package A depends on library X version 1 * Package B depends on library X version 2 * A won't work with X.2 * B won't work with X.1 We certainly need a packaging expert for solving this part of the discussion! I don't know enough about it, or care enough to learn. If in the future someone wants to package w3af, I'll try to remember this discussion and let him know. > >> * If we specify the version: pdfminer==3, then we're fine for ever. > > Yes, we're fine, but **who** and **how** will be able to install and use > w3af? Virtualenv is not solution for the end user. Only for development. Who? Every user How? git clone ... cd w3af ./w3af_console <follow steps in output> The only problem I see here is that when following the steps in the output this might happen: * User installed in the past package A version 2 using apt-get install * User installs w3af using the instructions above * w3af requires A version 3 * By following the instructions, A.2 is overwritten by A.3 Is that what is worrying you? > >> >>> В письме от 1 февраля 2014 14:36:05 пользователь Taras написал: >>>> >>>> Andres, >>>> >>>> When I talked about packaging problem I meant problems with supported >>>> versions of e.g. python libs for current popular distros. Consider we >>>> have >>>> e.g. some Debian/Ubuntu distro and want to package/install w3af from >>>> official repo. w3af from feature/package branch requires lxml version >>>> exactly 2.3.2, but supported and packaged version of lxml for Ubuntu >>>> 13.10 >>>> is 3.2.0! >>>> >>>> $ apt-cache show python-lxml >>>> Package: python-lxml >>>> Priority: optional >>>> Section: python >>>> Installed-Size: 2390 >>>> Maintainer: Ubuntu Developers <ubu...@li...> >>>> Original-Maintainer: Matthias Klose <do...@de...> >>>> Architecture: amd64 >>>> Source: lxml >>>> Version: 3.2.0-1 >>>> >>>> Because of that you can't simply make and provide w3af thought official >>>> repo. No one package maintainer will support several packaged minor >>>> versions of single lib.And for the end user there is only one way to >>>> install and use w3af. It is virtualenv + git clone :( >>>> >>>>>> 1. It makes impossible to package&install w3af, e.g. into deb package, >>>>>> doesn't it? >>>>> >>>>> >>>>> That's a good question, I'm not packaging expert but I suppose there >>>>> is a solution? Also I suppose that this was an issue in the past, >>>>> >>>>> without the specific version requirement? Lets follow this timeline: >>>>> * (assume) w3af is packaged in debian. Requires extra package >>>>> >>>>> python-pdfminer-v1. No check for specific version of any pip package. >>>>> >>>>> * foo is another debian package. Requires extra package >>>>> >>>>> python-pdfminer-v2 * User installs w3af: apt-get install w3af >>>>> >>>>> * Run w3af, it works >>>>> * User installs foo: apt-get install foo >>>>> >>>>> - Command will warn that it will break the w3af install? (not >>>>> >>>>> sure, not a packaging expert) >>>>> >>>>> - Command will succeed and replace python-pdfminer-v1 with >>>>> >>>>> python-pdfminer-v2 >>>>> >>>>> * Run foo, it works >>>>> * Run w3af, it fails because now python-pdfminer-v2, which changes >>>>> >>>>> the API is installed >>>>> >>>>>> 2. If w3af requires 3rd party A version 1 and another application on >>>>>> the >>>>>> system also requires 3rd party A but version 1.1, how it will be >>>>>> solved >>>>>> by >>>>>> the user? >>>>> >>>>> >>>>> First, lets understand that this was an issue in the past too, right? >>>>> >>>>> You can always use virtualenv: >>>>> $ virtualenv w3af-venv >>>>> $ . w3af-venv/bin/activate >>>>> (w3af-venv)$ cd w3af-repo >>>>> (w3af-venv)/w3af-repo$ ./w3af_console >>>>> (w3af-venv)/w3af-repo$ pip install ... >>>>> >>>>> All the packages are installed inside the w3af-venv directory, and >>>>> while your prompt says "w3af-venv" you're using that specific python >>>>> >>>>> Regards, >>>>> >>>>>> В письме от 29 января 2014 19:03:23 пользователь Andres Riancho >>>>>> написал: >>>>>>> >>>>>>> Taras, >>>>>>> >>>>>>> Added that because it is the best thing to do. Search the >>>>>>> mailing >>>>>>> >>>>>>> list for the issue we had with pdfminer, what happen there was: >>>>>>> * w3af had a requirement for pdfminer, any version >>>>>>> * w3af worked without issues with version 1 of that library >>>>>>> * The pdfminer developers released version 2 of that library >>>>>>> * People trying to install w3af, and because the requirement >>>>>>> >>>>>>> didn't had any specific version installed pdfminer like "pip install >>>>>>> pdfminer" >>>>>>> >>>>>>> * w3af stopped working because pdfminer changed its API, and >>>>>>> >>>>>>> one of the functions we were calling wasn't there anymore >>>>>>> >>>>>>> * Fix> Add specific version matching for pip packages >>>>>>> >>>>>>> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: >>>>>>>> >>>>>>>> I was wrong...I have working **master** branch :( >>>>>>>> >>>>>>>> Andres, why did you add requirement for **exact** match of versions >>>>>>>> in >>>>>>>> 'feature/module' branch? >>>>>>>> >>>>>>>> $ grep -B5 'version matches' >>>>>>>> w3af/core/controllers/dependency_check/dependency_check.py >>>>>>>> >>>>>>>> for w3af_req in pip_packages: >>>>>>>> if USE_PIP_MODULE: >>>>>>>> dependency_specs = w3af_req.package_name, >>>>>>>> w3af_req.package_version >>>>>>>> >>>>>>>> for dist in pip_distributions: >>>>>>>> if (dist.project_name, dist.version) == >>>> >>>> >>>> dependency_specs: >>>>>>>> >>>>>>>> # It's installed and the version matches! >>>>>>>> >>>>>>>> ... >>>>>>>> >>>>>>>> В письме от 26 января 2014 14:39:14 пользователь Taras написал: >>>>>>>>> >>>>>>>>> Israel, I have working "feature/module" version of w3af on 13.10 >>>>>>>>> What problems do you have? >>>>>>>>> >>>>>>>>> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho >>>> >>>> >>>> написал: >>>>>>>>>> >>>>>>>>>> Israel, >>>>>>>>>> >>>>>>>>>> Haven't tried with that specific version, but what's wrong >>> >>> with: >>>>>>>>>> >>>>>>>>>> git clone gi...@gi...:andresriancho/w3af.git >>>>>>>>>> cd w3af >>>>>>>>>> git checkout feature/module >>>>>>>>>> ./w3af_console >>>>>>>>>> >>>>>>>>>> On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan >>>>>>>>>> >>>>>>>>>> <isr...@gm...> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi, does anyone have a working way to install W3af on 13.10? >>>>>>>>>>> -- >>>>>>>>>>> Israel >>>>>>>>>>> >>>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>>> -- >>>>>>>>>>> --- >>>>>>>>>>> --- >>>>>>>>>>> -- >>>>>>>>>>> ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>>>>>>>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>>>>>>>>>> Critical Workloads, Development Environments & Everything In >>>>>>>>>>> Between. >>>>>>>>>>> Get a Quote or Start a Free Trial Today. >>>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140 >>>>>>>>>>> /o >>>>>>>>>>> stg >>>>>>>>>>> .cl >>>>>>>>>>> kt >>>>>>>>>>> rk _______________________________________________ >>>>>>>>>>> W3af-develop mailing list >>>>>>>>>>> W3a...@li... >>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Taras >>>>>>>> https://www.oxdef.info >>>>>> >>>>>> >>>>>> -- >>>>>> Taras >>>>>> https://www.oxdef.info >>> >>> >>> -- >>> Taras >>> https://www.oxdef.info >> >> >> >> > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-02-12 16:15:47
|
Andres, Sorry for delayed reply. > Not sure if I'm understanding your point. > > * The pdfminer issue occurred because we had this requirement: > pdfminer (no version requirement) > * If we specify something like: pdfminer>=3, then we're fine until > they release version 4 which breaks their API and w3af breaks Breaking of API is unusual and infrequent case in normal software. In another case it will break current package system ideology in Linux distros. Just try to find e.g. in Ubuntu repository package with such strict dependencies. It will be difficult task! > * If we specify the version: pdfminer==3, then we're fine for ever. Yes, we're fine, but **who** and **how** will be able to install and use w3af? Virtualenv is not solution for the end user. Only for development. > >> В письме от 1 февраля 2014 14:36:05 пользователь Taras написал: >>> Andres, >>> >>> When I talked about packaging problem I meant problems with supported >>> versions of e.g. python libs for current popular distros. Consider we have >>> e.g. some Debian/Ubuntu distro and want to package/install w3af from >>> official repo. w3af from feature/package branch requires lxml version >>> exactly 2.3.2, but supported and packaged version of lxml for Ubuntu 13.10 >>> is 3.2.0! >>> >>> $ apt-cache show python-lxml >>> Package: python-lxml >>> Priority: optional >>> Section: python >>> Installed-Size: 2390 >>> Maintainer: Ubuntu Developers <ubu...@li...> >>> Original-Maintainer: Matthias Klose <do...@de...> >>> Architecture: amd64 >>> Source: lxml >>> Version: 3.2.0-1 >>> >>> Because of that you can't simply make and provide w3af thought official >>> repo. No one package maintainer will support several packaged minor >>> versions of single lib.And for the end user there is only one way to >>> install and use w3af. It is virtualenv + git clone :( >>> >>>>> 1. It makes impossible to package&install w3af, e.g. into deb package, >>>>> doesn't it? >>>> >>>> That's a good question, I'm not packaging expert but I suppose there >>>> is a solution? Also I suppose that this was an issue in the past, >>>> >>>> without the specific version requirement? Lets follow this timeline: >>>> * (assume) w3af is packaged in debian. Requires extra package >>>> >>>> python-pdfminer-v1. No check for specific version of any pip package. >>>> >>>> * foo is another debian package. Requires extra package >>>> >>>> python-pdfminer-v2 * User installs w3af: apt-get install w3af >>>> >>>> * Run w3af, it works >>>> * User installs foo: apt-get install foo >>>> >>>> - Command will warn that it will break the w3af install? (not >>>> >>>> sure, not a packaging expert) >>>> >>>> - Command will succeed and replace python-pdfminer-v1 with >>>> >>>> python-pdfminer-v2 >>>> >>>> * Run foo, it works >>>> * Run w3af, it fails because now python-pdfminer-v2, which changes >>>> >>>> the API is installed >>>> >>>>> 2. If w3af requires 3rd party A version 1 and another application on the >>>>> system also requires 3rd party A but version 1.1, how it will be solved >>>>> by >>>>> the user? >>>> >>>> First, lets understand that this was an issue in the past too, right? >>>> >>>> You can always use virtualenv: >>>> $ virtualenv w3af-venv >>>> $ . w3af-venv/bin/activate >>>> (w3af-venv)$ cd w3af-repo >>>> (w3af-venv)/w3af-repo$ ./w3af_console >>>> (w3af-venv)/w3af-repo$ pip install ... >>>> >>>> All the packages are installed inside the w3af-venv directory, and >>>> while your prompt says "w3af-venv" you're using that specific python >>>> >>>> Regards, >>>> >>>>> В письме от 29 января 2014 19:03:23 пользователь Andres Riancho написал: >>>>>> Taras, >>>>>> >>>>>> Added that because it is the best thing to do. Search the mailing >>>>>> >>>>>> list for the issue we had with pdfminer, what happen there was: >>>>>> * w3af had a requirement for pdfminer, any version >>>>>> * w3af worked without issues with version 1 of that library >>>>>> * The pdfminer developers released version 2 of that library >>>>>> * People trying to install w3af, and because the requirement >>>>>> >>>>>> didn't had any specific version installed pdfminer like "pip install >>>>>> pdfminer" >>>>>> >>>>>> * w3af stopped working because pdfminer changed its API, and >>>>>> >>>>>> one of the functions we were calling wasn't there anymore >>>>>> >>>>>> * Fix> Add specific version matching for pip packages >>>>>> >>>>>> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: >>>>>>> I was wrong...I have working **master** branch :( >>>>>>> >>>>>>> Andres, why did you add requirement for **exact** match of versions >>>>>>> in >>>>>>> 'feature/module' branch? >>>>>>> >>>>>>> $ grep -B5 'version matches' >>>>>>> w3af/core/controllers/dependency_check/dependency_check.py >>>>>>> >>>>>>> for w3af_req in pip_packages: >>>>>>> if USE_PIP_MODULE: >>>>>>> dependency_specs = w3af_req.package_name, >>>>>>> w3af_req.package_version >>>>>>> >>>>>>> for dist in pip_distributions: >>>>>>> if (dist.project_name, dist.version) == >>> >>> dependency_specs: >>>>>>> # It's installed and the version matches! >>>>>>> >>>>>>> ... >>>>>>> >>>>>>> В письме от 26 января 2014 14:39:14 пользователь Taras написал: >>>>>>>> Israel, I have working "feature/module" version of w3af on 13.10 >>>>>>>> What problems do you have? >>>>>>>> >>>>>>>> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho >>> >>> написал: >>>>>>>>> Israel, >>>>>>>>> >>>>>>>>> Haven't tried with that specific version, but what's wrong >> with: >>>>>>>>> git clone gi...@gi...:andresriancho/w3af.git >>>>>>>>> cd w3af >>>>>>>>> git checkout feature/module >>>>>>>>> ./w3af_console >>>>>>>>> >>>>>>>>> On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan >>>>>>>>> >>>>>>>>> <isr...@gm...> wrote: >>>>>>>>>> Hi, does anyone have a working way to install W3af on 13.10? >>>>>>>>>> -- >>>>>>>>>> Israel >>>>>>>>>> >>>>>>>>>> ---------------------------------------------------------------- >>>>>>>>>> -- >>>>>>>>>> --- >>>>>>>>>> --- >>>>>>>>>> -- >>>>>>>>>> ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>>>>>>>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>>>>>>>>> Critical Workloads, Development Environments & Everything In >>>>>>>>>> Between. >>>>>>>>>> Get a Quote or Start a Free Trial Today. >>>>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140 >>>>>>>>>> /o >>>>>>>>>> stg >>>>>>>>>> .cl >>>>>>>>>> kt >>>>>>>>>> rk _______________________________________________ >>>>>>>>>> W3af-develop mailing list >>>>>>>>>> W3a...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>>>>> >>>>>>> -- >>>>>>> Taras >>>>>>> https://www.oxdef.info >>>>> >>>>> -- >>>>> Taras >>>>> https://www.oxdef.info >> >> -- >> Taras >> https://www.oxdef.info > > > -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-02-06 15:55:05
|
On Thu, Feb 6, 2014 at 12:46 PM, Taras <ox...@ox...> wrote: > Andres? > > What I'm suggesting is to bring back requirements for **minimal** version of > 3rd party lib Not sure if I'm understanding your point. * The pdfminer issue occurred because we had this requirement: pdfminer (no version requirement) * If we specify something like: pdfminer>=3, then we're fine until they release version 4 which breaks their API and w3af breaks * If we specify the version: pdfminer==3, then we're fine for ever. PLEASE correct me if I'm doing something wrong! > В письме от 1 февраля 2014 14:36:05 пользователь Taras написал: >> Andres, >> >> When I talked about packaging problem I meant problems with supported >> versions of e.g. python libs for current popular distros. Consider we have >> e.g. some Debian/Ubuntu distro and want to package/install w3af from >> official repo. w3af from feature/package branch requires lxml version >> exactly 2.3.2, but supported and packaged version of lxml for Ubuntu 13.10 >> is 3.2.0! >> >> $ apt-cache show python-lxml >> Package: python-lxml >> Priority: optional >> Section: python >> Installed-Size: 2390 >> Maintainer: Ubuntu Developers <ubu...@li...> >> Original-Maintainer: Matthias Klose <do...@de...> >> Architecture: amd64 >> Source: lxml >> Version: 3.2.0-1 >> >> Because of that you can't simply make and provide w3af thought official >> repo. No one package maintainer will support several packaged minor >> versions of single lib.And for the end user there is only one way to >> install and use w3af. It is virtualenv + git clone :( >> >> > > 1. It makes impossible to package&install w3af, e.g. into deb package, >> > > doesn't it? >> > >> > That's a good question, I'm not packaging expert but I suppose there >> > is a solution? Also I suppose that this was an issue in the past, >> > >> > without the specific version requirement? Lets follow this timeline: >> > * (assume) w3af is packaged in debian. Requires extra package >> > >> > python-pdfminer-v1. No check for specific version of any pip package. >> > >> > * foo is another debian package. Requires extra package >> > >> > python-pdfminer-v2 * User installs w3af: apt-get install w3af >> > >> > * Run w3af, it works >> > * User installs foo: apt-get install foo >> > >> > - Command will warn that it will break the w3af install? (not >> > >> > sure, not a packaging expert) >> > >> > - Command will succeed and replace python-pdfminer-v1 with >> > >> > python-pdfminer-v2 >> > >> > * Run foo, it works >> > * Run w3af, it fails because now python-pdfminer-v2, which changes >> > >> > the API is installed >> > >> > > 2. If w3af requires 3rd party A version 1 and another application on the >> > > system also requires 3rd party A but version 1.1, how it will be solved >> > > by >> > > the user? >> > >> > First, lets understand that this was an issue in the past too, right? >> > >> > You can always use virtualenv: >> > $ virtualenv w3af-venv >> > $ . w3af-venv/bin/activate >> > (w3af-venv)$ cd w3af-repo >> > (w3af-venv)/w3af-repo$ ./w3af_console >> > (w3af-venv)/w3af-repo$ pip install ... >> > >> > All the packages are installed inside the w3af-venv directory, and >> > while your prompt says "w3af-venv" you're using that specific python >> > >> > Regards, >> > >> > > В письме от 29 января 2014 19:03:23 пользователь Andres Riancho написал: >> > >> Taras, >> > >> >> > >> Added that because it is the best thing to do. Search the mailing >> > >> >> > >> list for the issue we had with pdfminer, what happen there was: >> > >> * w3af had a requirement for pdfminer, any version >> > >> * w3af worked without issues with version 1 of that library >> > >> * The pdfminer developers released version 2 of that library >> > >> * People trying to install w3af, and because the requirement >> > >> >> > >> didn't had any specific version installed pdfminer like "pip install >> > >> pdfminer" >> > >> >> > >> * w3af stopped working because pdfminer changed its API, and >> > >> >> > >> one of the functions we were calling wasn't there anymore >> > >> >> > >> * Fix> Add specific version matching for pip packages >> > >> >> > >> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: >> > >> > I was wrong...I have working **master** branch :( >> > >> > >> > >> > Andres, why did you add requirement for **exact** match of versions >> > >> > in >> > >> > 'feature/module' branch? >> > >> > >> > >> > $ grep -B5 'version matches' >> > >> > w3af/core/controllers/dependency_check/dependency_check.py >> > >> > >> > >> > for w3af_req in pip_packages: >> > >> > if USE_PIP_MODULE: >> > >> > dependency_specs = w3af_req.package_name, >> > >> > w3af_req.package_version >> > >> > >> > >> > for dist in pip_distributions: >> > >> > if (dist.project_name, dist.version) == >> >> dependency_specs: >> > >> > # It's installed and the version matches! >> > >> > >> > >> > ... >> > >> > >> > >> > В письме от 26 января 2014 14:39:14 пользователь Taras написал: >> > >> >> Israel, I have working "feature/module" version of w3af on 13.10 >> > >> >> What problems do you have? >> > >> >> >> > >> >> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho >> >> написал: >> > >> >> > Israel, >> > >> >> > >> > >> >> > Haven't tried with that specific version, but what's wrong > with: >> > >> >> > git clone gi...@gi...:andresriancho/w3af.git >> > >> >> > cd w3af >> > >> >> > git checkout feature/module >> > >> >> > ./w3af_console >> > >> >> > >> > >> >> > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan >> > >> >> > >> > >> >> > <isr...@gm...> wrote: >> > >> >> > > Hi, does anyone have a working way to install W3af on 13.10? >> > >> >> > > -- >> > >> >> > > Israel >> > >> >> > > >> > >> >> > > ---------------------------------------------------------------- >> > >> >> > > -- >> > >> >> > > --- >> > >> >> > > --- >> > >> >> > > -- >> > >> >> > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> > >> >> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For >> > >> >> > > Critical Workloads, Development Environments & Everything In >> > >> >> > > Between. >> > >> >> > > Get a Quote or Start a Free Trial Today. >> > >> >> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140 >> > >> >> > > /o >> > >> >> > > stg >> > >> >> > > .cl >> > >> >> > > kt >> > >> >> > > rk _______________________________________________ >> > >> >> > > W3af-develop mailing list >> > >> >> > > W3a...@li... >> > >> >> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> > >> > >> > -- >> > >> > Taras >> > >> > https://www.oxdef.info >> > > >> > > -- >> > > Taras >> > > https://www.oxdef.info > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-02-06 15:46:36
|
Andres? What I'm suggesting is to bring back requirements for **minimal** version of 3rd party lib В письме от 1 февраля 2014 14:36:05 пользователь Taras написал: > Andres, > > When I talked about packaging problem I meant problems with supported > versions of e.g. python libs for current popular distros. Consider we have > e.g. some Debian/Ubuntu distro and want to package/install w3af from > official repo. w3af from feature/package branch requires lxml version > exactly 2.3.2, but supported and packaged version of lxml for Ubuntu 13.10 > is 3.2.0! > > $ apt-cache show python-lxml > Package: python-lxml > Priority: optional > Section: python > Installed-Size: 2390 > Maintainer: Ubuntu Developers <ubu...@li...> > Original-Maintainer: Matthias Klose <do...@de...> > Architecture: amd64 > Source: lxml > Version: 3.2.0-1 > > Because of that you can't simply make and provide w3af thought official > repo. No one package maintainer will support several packaged minor > versions of single lib.And for the end user there is only one way to > install and use w3af. It is virtualenv + git clone :( > > > > 1. It makes impossible to package&install w3af, e.g. into deb package, > > > doesn't it? > > > > That's a good question, I'm not packaging expert but I suppose there > > is a solution? Also I suppose that this was an issue in the past, > > > > without the specific version requirement? Lets follow this timeline: > > * (assume) w3af is packaged in debian. Requires extra package > > > > python-pdfminer-v1. No check for specific version of any pip package. > > > > * foo is another debian package. Requires extra package > > > > python-pdfminer-v2 * User installs w3af: apt-get install w3af > > > > * Run w3af, it works > > * User installs foo: apt-get install foo > > > > - Command will warn that it will break the w3af install? (not > > > > sure, not a packaging expert) > > > > - Command will succeed and replace python-pdfminer-v1 with > > > > python-pdfminer-v2 > > > > * Run foo, it works > > * Run w3af, it fails because now python-pdfminer-v2, which changes > > > > the API is installed > > > > > 2. If w3af requires 3rd party A version 1 and another application on the > > > system also requires 3rd party A but version 1.1, how it will be solved > > > by > > > the user? > > > > First, lets understand that this was an issue in the past too, right? > > > > You can always use virtualenv: > > $ virtualenv w3af-venv > > $ . w3af-venv/bin/activate > > (w3af-venv)$ cd w3af-repo > > (w3af-venv)/w3af-repo$ ./w3af_console > > (w3af-venv)/w3af-repo$ pip install ... > > > > All the packages are installed inside the w3af-venv directory, and > > while your prompt says "w3af-venv" you're using that specific python > > > > Regards, > > > > > В письме от 29 января 2014 19:03:23 пользователь Andres Riancho написал: > > >> Taras, > > >> > > >> Added that because it is the best thing to do. Search the mailing > > >> > > >> list for the issue we had with pdfminer, what happen there was: > > >> * w3af had a requirement for pdfminer, any version > > >> * w3af worked without issues with version 1 of that library > > >> * The pdfminer developers released version 2 of that library > > >> * People trying to install w3af, and because the requirement > > >> > > >> didn't had any specific version installed pdfminer like "pip install > > >> pdfminer" > > >> > > >> * w3af stopped working because pdfminer changed its API, and > > >> > > >> one of the functions we were calling wasn't there anymore > > >> > > >> * Fix> Add specific version matching for pip packages > > >> > > >> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: > > >> > I was wrong...I have working **master** branch :( > > >> > > > >> > Andres, why did you add requirement for **exact** match of versions > > >> > in > > >> > 'feature/module' branch? > > >> > > > >> > $ grep -B5 'version matches' > > >> > w3af/core/controllers/dependency_check/dependency_check.py > > >> > > > >> > for w3af_req in pip_packages: > > >> > if USE_PIP_MODULE: > > >> > dependency_specs = w3af_req.package_name, > > >> > w3af_req.package_version > > >> > > > >> > for dist in pip_distributions: > > >> > if (dist.project_name, dist.version) == > > dependency_specs: > > >> > # It's installed and the version matches! > > >> > > > >> > ... > > >> > > > >> > В письме от 26 января 2014 14:39:14 пользователь Taras написал: > > >> >> Israel, I have working "feature/module" version of w3af on 13.10 > > >> >> What problems do you have? > > >> >> > > >> >> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho > > написал: > > >> >> > Israel, > > >> >> > > > >> >> > Haven't tried with that specific version, but what's wrong with: > > >> >> > git clone gi...@gi...:andresriancho/w3af.git > > >> >> > cd w3af > > >> >> > git checkout feature/module > > >> >> > ./w3af_console > > >> >> > > > >> >> > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan > > >> >> > > > >> >> > <isr...@gm...> wrote: > > >> >> > > Hi, does anyone have a working way to install W3af on 13.10? > > >> >> > > -- > > >> >> > > Israel > > >> >> > > > > >> >> > > ---------------------------------------------------------------- > > >> >> > > -- > > >> >> > > --- > > >> >> > > --- > > >> >> > > -- > > >> >> > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. > > >> >> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For > > >> >> > > Critical Workloads, Development Environments & Everything In > > >> >> > > Between. > > >> >> > > Get a Quote or Start a Free Trial Today. > > >> >> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140 > > >> >> > > /o > > >> >> > > stg > > >> >> > > .cl > > >> >> > > kt > > >> >> > > rk _______________________________________________ > > >> >> > > W3af-develop mailing list > > >> >> > > W3a...@li... > > >> >> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > >> > > > >> > -- > > >> > Taras > > >> > https://www.oxdef.info > > > > > > -- > > > Taras > > > https://www.oxdef.info -- Taras https://www.oxdef.info |
From: Taras <ox...@ox...> - 2014-02-01 10:36:17
|
Andres, When I talked about packaging problem I meant problems with supported versions of e.g. python libs for current popular distros. Consider we have e.g. some Debian/Ubuntu distro and want to package/install w3af from official repo. w3af from feature/package branch requires lxml version exactly 2.3.2, but supported and packaged version of lxml for Ubuntu 13.10 is 3.2.0! $ apt-cache show python-lxml Package: python-lxml Priority: optional Section: python Installed-Size: 2390 Maintainer: Ubuntu Developers <ubu...@li...> Original-Maintainer: Matthias Klose <do...@de...> Architecture: amd64 Source: lxml Version: 3.2.0-1 Because of that you can't simply make and provide w3af thought official repo. No one package maintainer will support several packaged minor versions of single lib.And for the end user there is only one way to install and use w3af. It is virtualenv + git clone :( > > 1. It makes impossible to package&install w3af, e.g. into deb package, > > doesn't it? > > That's a good question, I'm not packaging expert but I suppose there > is a solution? Also I suppose that this was an issue in the past, > without the specific version requirement? Lets follow this timeline: > * (assume) w3af is packaged in debian. Requires extra package > python-pdfminer-v1. No check for specific version of any pip package. > * foo is another debian package. Requires extra package > python-pdfminer-v2 * User installs w3af: apt-get install w3af > * Run w3af, it works > * User installs foo: apt-get install foo > - Command will warn that it will break the w3af install? (not > sure, not a packaging expert) > - Command will succeed and replace python-pdfminer-v1 with > python-pdfminer-v2 > * Run foo, it works > * Run w3af, it fails because now python-pdfminer-v2, which changes > the API is installed > > > 2. If w3af requires 3rd party A version 1 and another application on the > > system also requires 3rd party A but version 1.1, how it will be solved by > > the user? > > First, lets understand that this was an issue in the past too, right? > > You can always use virtualenv: > $ virtualenv w3af-venv > $ . w3af-venv/bin/activate > (w3af-venv)$ cd w3af-repo > (w3af-venv)/w3af-repo$ ./w3af_console > (w3af-venv)/w3af-repo$ pip install ... > > All the packages are installed inside the w3af-venv directory, and > while your prompt says "w3af-venv" you're using that specific python > > Regards, > > > В письме от 29 января 2014 19:03:23 пользователь Andres Riancho написал: > >> Taras, > >> > >> Added that because it is the best thing to do. Search the mailing > >> > >> list for the issue we had with pdfminer, what happen there was: > >> * w3af had a requirement for pdfminer, any version > >> * w3af worked without issues with version 1 of that library > >> * The pdfminer developers released version 2 of that library > >> * People trying to install w3af, and because the requirement > >> > >> didn't had any specific version installed pdfminer like "pip install > >> pdfminer" > >> > >> * w3af stopped working because pdfminer changed its API, and > >> > >> one of the functions we were calling wasn't there anymore > >> > >> * Fix> Add specific version matching for pip packages > >> > >> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: > >> > I was wrong...I have working **master** branch :( > >> > > >> > Andres, why did you add requirement for **exact** match of versions in > >> > 'feature/module' branch? > >> > > >> > $ grep -B5 'version matches' > >> > w3af/core/controllers/dependency_check/dependency_check.py > >> > > >> > for w3af_req in pip_packages: > >> > if USE_PIP_MODULE: > >> > dependency_specs = w3af_req.package_name, > >> > w3af_req.package_version > >> > > >> > for dist in pip_distributions: > >> > if (dist.project_name, dist.version) == dependency_specs: > >> > # It's installed and the version matches! > >> > > >> > ... > >> > > >> > В письме от 26 января 2014 14:39:14 пользователь Taras написал: > >> >> Israel, I have working "feature/module" version of w3af on 13.10 > >> >> What problems do you have? > >> >> > >> >> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho написал: > >> >> > Israel, > >> >> > > >> >> > Haven't tried with that specific version, but what's wrong with: > >> >> > git clone gi...@gi...:andresriancho/w3af.git > >> >> > cd w3af > >> >> > git checkout feature/module > >> >> > ./w3af_console > >> >> > > >> >> > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan > >> >> > > >> >> > <isr...@gm...> wrote: > >> >> > > Hi, does anyone have a working way to install W3af on 13.10? > >> >> > > -- > >> >> > > Israel > >> >> > > > >> >> > > ------------------------------------------------------------------ > >> >> > > --- > >> >> > > --- > >> >> > > -- > >> >> > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. > >> >> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For > >> >> > > Critical Workloads, Development Environments & Everything In > >> >> > > Between. > >> >> > > Get a Quote or Start a Free Trial Today. > >> >> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/o > >> >> > > stg > >> >> > > .cl > >> >> > > kt > >> >> > > rk _______________________________________________ > >> >> > > W3af-develop mailing list > >> >> > > W3a...@li... > >> >> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > >> > > >> > -- > >> > Taras > >> > https://www.oxdef.info > > > > -- > > Taras > > https://www.oxdef.info -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-01-30 12:12:27
|
Taras, On Thu, Jan 30, 2014 at 4:08 AM, Taras <ox...@ox...> wrote: > Andres, > > Thanks for description of the reason. There are at least two issues with such > requirements: > > 1. It makes impossible to package&install w3af, e.g. into deb package, doesn't > it? That's a good question, I'm not packaging expert but I suppose there is a solution? Also I suppose that this was an issue in the past, without the specific version requirement? Lets follow this timeline: * (assume) w3af is packaged in debian. Requires extra package python-pdfminer-v1. No check for specific version of any pip package. * foo is another debian package. Requires extra package python-pdfminer-v2 * User installs w3af: apt-get install w3af * Run w3af, it works * User installs foo: apt-get install foo - Command will warn that it will break the w3af install? (not sure, not a packaging expert) - Command will succeed and replace python-pdfminer-v1 with python-pdfminer-v2 * Run foo, it works * Run w3af, it fails because now python-pdfminer-v2, which changes the API is installed > 2. If w3af requires 3rd party A version 1 and another application on the > system also requires 3rd party A but version 1.1, how it will be solved by the > user? First, lets understand that this was an issue in the past too, right? You can always use virtualenv: $ virtualenv w3af-venv $ . w3af-venv/bin/activate (w3af-venv)$ cd w3af-repo (w3af-venv)/w3af-repo$ ./w3af_console (w3af-venv)/w3af-repo$ pip install ... All the packages are installed inside the w3af-venv directory, and while your prompt says "w3af-venv" you're using that specific python Regards, > > В письме от 29 января 2014 19:03:23 пользователь Andres Riancho написал: >> Taras, >> >> Added that because it is the best thing to do. Search the mailing >> list for the issue we had with pdfminer, what happen there was: >> * w3af had a requirement for pdfminer, any version >> * w3af worked without issues with version 1 of that library >> * The pdfminer developers released version 2 of that library >> * People trying to install w3af, and because the requirement >> didn't had any specific version installed pdfminer like "pip install >> pdfminer" >> * w3af stopped working because pdfminer changed its API, and >> one of the functions we were calling wasn't there anymore >> * Fix> Add specific version matching for pip packages >> >> On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: >> > I was wrong...I have working **master** branch :( >> > >> > Andres, why did you add requirement for **exact** match of versions in >> > 'feature/module' branch? >> > >> > $ grep -B5 'version matches' >> > w3af/core/controllers/dependency_check/dependency_check.py >> > >> > for w3af_req in pip_packages: >> > if USE_PIP_MODULE: >> > dependency_specs = w3af_req.package_name, >> > w3af_req.package_version >> > >> > for dist in pip_distributions: >> > if (dist.project_name, dist.version) == dependency_specs: >> > # It's installed and the version matches! >> > >> > ... >> > >> > В письме от 26 января 2014 14:39:14 пользователь Taras написал: >> >> Israel, I have working "feature/module" version of w3af on 13.10 >> >> What problems do you have? >> >> >> >> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho написал: >> >> > Israel, >> >> > >> >> > Haven't tried with that specific version, but what's wrong with: >> >> > git clone gi...@gi...:andresriancho/w3af.git >> >> > cd w3af >> >> > git checkout feature/module >> >> > ./w3af_console >> >> > >> >> > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan >> >> > >> >> > <isr...@gm...> wrote: >> >> > > Hi, does anyone have a working way to install W3af on 13.10? >> >> > > -- >> >> > > Israel >> >> > > >> >> > > --------------------------------------------------------------------- >> >> > > --- >> >> > > -- >> >> > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> >> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For >> >> > > Critical Workloads, Development Environments & Everything In Between. >> >> > > Get a Quote or Start a Free Trial Today. >> >> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg >> >> > > .cl >> >> > > kt >> >> > > rk _______________________________________________ >> >> > > W3af-develop mailing list >> >> > > W3a...@li... >> >> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop >> > >> > -- >> > Taras >> > https://www.oxdef.info > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-01-30 07:26:18
|
Andres, Thanks for description of the reason. There are at least two issues with such requirements: 1. It makes impossible to package&install w3af, e.g. into deb package, doesn't it? 2. If w3af requires 3rd party A version 1 and another application on the system also requires 3rd party A but version 1.1, how it will be solved by the user? В письме от 29 января 2014 19:03:23 пользователь Andres Riancho написал: > Taras, > > Added that because it is the best thing to do. Search the mailing > list for the issue we had with pdfminer, what happen there was: > * w3af had a requirement for pdfminer, any version > * w3af worked without issues with version 1 of that library > * The pdfminer developers released version 2 of that library > * People trying to install w3af, and because the requirement > didn't had any specific version installed pdfminer like "pip install > pdfminer" > * w3af stopped working because pdfminer changed its API, and > one of the functions we were calling wasn't there anymore > * Fix> Add specific version matching for pip packages > > On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: > > I was wrong...I have working **master** branch :( > > > > Andres, why did you add requirement for **exact** match of versions in > > 'feature/module' branch? > > > > $ grep -B5 'version matches' > > w3af/core/controllers/dependency_check/dependency_check.py > > > > for w3af_req in pip_packages: > > if USE_PIP_MODULE: > > dependency_specs = w3af_req.package_name, > > w3af_req.package_version > > > > for dist in pip_distributions: > > if (dist.project_name, dist.version) == dependency_specs: > > # It's installed and the version matches! > > > > ... > > > > В письме от 26 января 2014 14:39:14 пользователь Taras написал: > >> Israel, I have working "feature/module" version of w3af on 13.10 > >> What problems do you have? > >> > >> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho написал: > >> > Israel, > >> > > >> > Haven't tried with that specific version, but what's wrong with: > >> > git clone gi...@gi...:andresriancho/w3af.git > >> > cd w3af > >> > git checkout feature/module > >> > ./w3af_console > >> > > >> > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan > >> > > >> > <isr...@gm...> wrote: > >> > > Hi, does anyone have a working way to install W3af on 13.10? > >> > > -- > >> > > Israel > >> > > > >> > > --------------------------------------------------------------------- > >> > > --- > >> > > -- > >> > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. > >> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For > >> > > Critical Workloads, Development Environments & Everything In Between. > >> > > Get a Quote or Start a Free Trial Today. > >> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg > >> > > .cl > >> > > kt > >> > > rk _______________________________________________ > >> > > W3af-develop mailing list > >> > > W3a...@li... > >> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > > > -- > > Taras > > https://www.oxdef.info -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-01-29 21:03:49
|
Taras, Added that because it is the best thing to do. Search the mailing list for the issue we had with pdfminer, what happen there was: * w3af had a requirement for pdfminer, any version * w3af worked without issues with version 1 of that library * The pdfminer developers released version 2 of that library * People trying to install w3af, and because the requirement didn't had any specific version installed pdfminer like "pip install pdfminer" * w3af stopped working because pdfminer changed its API, and one of the functions we were calling wasn't there anymore * Fix> Add specific version matching for pip packages On Wed, Jan 29, 2014 at 5:46 PM, Taras <ox...@ox...> wrote: > I was wrong...I have working **master** branch :( > > Andres, why did you add requirement for **exact** match of versions in > 'feature/module' branch? > > $ grep -B5 'version matches' > w3af/core/controllers/dependency_check/dependency_check.py > > for w3af_req in pip_packages: > if USE_PIP_MODULE: > dependency_specs = w3af_req.package_name, w3af_req.package_version > for dist in pip_distributions: > if (dist.project_name, dist.version) == dependency_specs: > # It's installed and the version matches! > > ... > > > В письме от 26 января 2014 14:39:14 пользователь Taras написал: >> Israel, I have working "feature/module" version of w3af on 13.10 >> What problems do you have? >> >> В письме от 22 января 2014 21:53:48 пользователь Andres Riancho написал: >> > Israel, >> > >> > Haven't tried with that specific version, but what's wrong with: >> > git clone gi...@gi...:andresriancho/w3af.git >> > cd w3af >> > git checkout feature/module >> > ./w3af_console >> > >> > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan >> > >> > <isr...@gm...> wrote: >> > > Hi, does anyone have a working way to install W3af on 13.10? >> > > -- >> > > Israel >> > > >> > > ------------------------------------------------------------------------ >> > > -- >> > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> > > Learn Why More Businesses Are Choosing CenturyLink Cloud For >> > > Critical Workloads, Development Environments & Everything In Between. >> > > Get a Quote or Start a Free Trial Today. >> > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl >> > > kt >> > > rk _______________________________________________ >> > > W3af-develop mailing list >> > > W3a...@li... >> > > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- > Taras > https://www.oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Taras <ox...@ox...> - 2014-01-29 20:46:10
|
I was wrong...I have working **master** branch :( Andres, why did you add requirement for **exact** match of versions in 'feature/module' branch? $ grep -B5 'version matches' w3af/core/controllers/dependency_check/dependency_check.py for w3af_req in pip_packages: if USE_PIP_MODULE: dependency_specs = w3af_req.package_name, w3af_req.package_version for dist in pip_distributions: if (dist.project_name, dist.version) == dependency_specs: # It's installed and the version matches! ... В письме от 26 января 2014 14:39:14 пользователь Taras написал: > Israel, I have working "feature/module" version of w3af on 13.10 > What problems do you have? > > В письме от 22 января 2014 21:53:48 пользователь Andres Riancho написал: > > Israel, > > > > Haven't tried with that specific version, but what's wrong with: > > git clone gi...@gi...:andresriancho/w3af.git > > cd w3af > > git checkout feature/module > > ./w3af_console > > > > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan > > > > <isr...@gm...> wrote: > > > Hi, does anyone have a working way to install W3af on 13.10? > > > -- > > > Israel > > > > > > ------------------------------------------------------------------------ > > > -- > > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. > > > Learn Why More Businesses Are Choosing CenturyLink Cloud For > > > Critical Workloads, Development Environments & Everything In Between. > > > Get a Quote or Start a Free Trial Today. > > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.cl > > > kt > > > rk _______________________________________________ > > > W3af-develop mailing list > > > W3a...@li... > > > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Taras https://www.oxdef.info |
From: Taras <ox...@ox...> - 2014-01-26 10:55:24
|
Israel, I have working "feature/module" version of w3af on 13.10 What problems do you have? В письме от 22 января 2014 21:53:48 пользователь Andres Riancho написал: > Israel, > > Haven't tried with that specific version, but what's wrong with: > > git clone gi...@gi...:andresriancho/w3af.git > cd w3af > git checkout feature/module > ./w3af_console > > On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan > > <isr...@gm...> wrote: > > Hi, does anyone have a working way to install W3af on 13.10? > > -- > > Israel > > > > -------------------------------------------------------------------------- > > ---- CenturyLink Cloud: The Leader in Enterprise Cloud Services. > > Learn Why More Businesses Are Choosing CenturyLink Cloud For > > Critical Workloads, Development Environments & Everything In Between. > > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clkt > > rk _______________________________________________ > > W3af-develop mailing list > > W3a...@li... > > https://lists.sourceforge.net/lists/listinfo/w3af-develop -- Taras https://www.oxdef.info |
From: Andres R. <and...@gm...> - 2014-01-22 23:54:15
|
Israel, Haven't tried with that specific version, but what's wrong with: git clone gi...@gi...:andresriancho/w3af.git cd w3af git checkout feature/module ./w3af_console On Wed, Jan 22, 2014 at 6:00 PM, Israel Duvdavan <isr...@gm...> wrote: > > Hi, does anyone have a working way to install W3af on 13.10? > -- > Israel > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > W3af-develop mailing list > W3a...@li... > https://lists.sourceforge.net/lists/listinfo/w3af-develop > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Israel D. <isr...@gm...> - 2014-01-22 21:00:29
|
Hi, does anyone have a working way to install W3af on 13.10? -- Israel |
From: Andres R. <and...@gm...> - 2013-12-03 20:40:43
|
How w3af uses Continuous Integration [0] http://w3af.org/how-w3af-uses-continuous-integration-to-improve Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Andres R. <and...@gm...> - 2013-11-14 08:22:56
|
Any (python) gtk guy out there? I'm trying to build w3af on circleci and I'm getting some strange error [0] which seems to come from using dynamic/static gtk at the same time. Already did some debugging and asked a question in xpresser's launchpad regarding this issue. Please help me out :) I want to have continuous integration for w3af, and this is blocking me at the moment. Other resources you'll have to read to understand what's going on here [2] [0] https://circleci.com/gh/andresriancho/w3af/125 [1] https://answers.launchpad.net/xpresser/+question/239194 [2] https://github.com/andresriancho/w3af/tree/feature/module/w3af/core/controllers/ci -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Andres R. <and...@gm...> - 2013-10-11 21:58:33
|
List, If you ever want to compare w3af with another scanners, the WASSEC [0] methodology and this [1] document with the w3af pre-filled values might come handy. [0] http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria [1] https://docs.google.com/spreadsheet/ccc?key=0AugMBW3nnaQ4dG4zdC1RTkw4WVgzeHVmZjloelhnRWc&usp=sharing Regards, -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Andres R. <and...@gm...> - 2013-10-08 01:11:33
|
Andri, On Mon, Oct 7, 2013 at 9:54 PM, Andri Herumurti <vyn...@ya...> wrote: > Hi Andres, > > I think no problem as long as the ruleset is open source. > > So when we will make it happen ? For now it's just an idea, I don't have a plan to implement it. I also want to collect more information on which ruleset is the best one to use. Sent an email to the snort and suricata mailing lists to ask some questions > Regards > Andri > >> On 6 Okt 2013, at 18.58, Andres Riancho <and...@gm...> wrote: >> >> Maybe the focus should be moved away from the detection engines >> (snort, suricata) and into the rules provider(s)? >> >> http://www.emergingthreats.net/open-source/ >> >>> On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho <and...@gm...> wrote: >>> Andri, >>> >>> Good question, actually I didn't even consider Suricata because I >>> was unaware of it's existance :( So, after reading the suricata >>> website for some minutes it seems that their rule format is *very >>> similar* (the same?) as the one from snort, which could make things >>> easier if we want to support both. >>> >>> When it comes to what we want to do, the only thing that matters >>> is quality (re: false positives) and quantity of the rules to detect >>> web malware. Do you know if there is a comparison between suricata and >>> snort rulesets? >>> >>> Regards, >>> >>>> On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti <vyn...@ya...> wrote: >>>> Hi Andres, >>>> >>>> how if use Suricata than Snort ? >>>> here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata >>>> >>>> Regards, >>>> Andri >>>> >>>> >>>> ________________________________ >>>> From: Andres Riancho <and...@gm...> >>>> To: "w3a...@li..." <w3a...@li...>; >>>> "w3a...@li..." <W3a...@li...> >>>> Sent: Sunday, October 6, 2013 3:38 AM >>>> Subject: [W3af-develop] Snort rules to detect malware >>>> >>>> Guys, >>>> >>>> We already have a clamav plugin that will identify if an http >>>> response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus >>>> or not. The other day I was thinking about how to improve this and >>>> came up with the idea of using snort rules to detect malware [0] >>>> >>>> The idea is rather simple: >>>> * Crawl the site (we already do that) >>>> * Parse snort rules into regular expressions >>>> * Create a grep plugin that will apply those regular >>>> expressions to each HTTP response body >>>> * If a match is found, then report it to the knowledge base >>>> >>>> What do you guys think about the idea? Anyone with snort >>>> experience to weight in with some facts on how many false positives >>>> are found by rules like these? Anyone knows about the licensing for >>>> the rules? Can we include them into our repository? >>>> >>>> [0] https://github.com/andresriancho/w3af/issues/671 >>>> >>>> Regards, >>>> -- >>>> Andrés Riancho >>>> Project Leader at w3af - http://w3af.org/ >>>> Web Application Attack and Audit Framework >>>> Twitter: @w3af >>>> GPG: 0x93C344F3 >>>> >>>> ------------------------------------------------------------------------------ >>>> October Webinars: Code for Performance >>>> Free Intel webinars can help you accelerate application performance. >>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>>> from >>>> the latest Intel processors and coprocessors. See abstracts and register > >>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> W3af-develop mailing list >>>> W3a...@li... >>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>> >>> >>> >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 |
From: Andri H. <vyn...@ya...> - 2013-10-08 00:55:05
|
Hi Andres, I think no problem as long as the ruleset is open source. So when we will make it happen ? Regards Andri > On 6 Okt 2013, at 18.58, Andres Riancho <and...@gm...> wrote: > > Maybe the focus should be moved away from the detection engines > (snort, suricata) and into the rules provider(s)? > > http://www.emergingthreats.net/open-source/ > >> On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho <and...@gm...> wrote: >> Andri, >> >> Good question, actually I didn't even consider Suricata because I >> was unaware of it's existance :( So, after reading the suricata >> website for some minutes it seems that their rule format is *very >> similar* (the same?) as the one from snort, which could make things >> easier if we want to support both. >> >> When it comes to what we want to do, the only thing that matters >> is quality (re: false positives) and quantity of the rules to detect >> web malware. Do you know if there is a comparison between suricata and >> snort rulesets? >> >> Regards, >> >>> On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti <vyn...@ya...> wrote: >>> Hi Andres, >>> >>> how if use Suricata than Snort ? >>> here is the comparison : http://wiki.aanval.com/wiki/Snort_vs_Suricata >>> >>> Regards, >>> Andri >>> >>> >>> ________________________________ >>> From: Andres Riancho <and...@gm...> >>> To: "w3a...@li..." <w3a...@li...>; >>> "w3a...@li..." <W3a...@li...> >>> Sent: Sunday, October 6, 2013 3:38 AM >>> Subject: [W3af-develop] Snort rules to detect malware >>> >>> Guys, >>> >>> We already have a clamav plugin that will identify if an http >>> response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a virus >>> or not. The other day I was thinking about how to improve this and >>> came up with the idea of using snort rules to detect malware [0] >>> >>> The idea is rather simple: >>> * Crawl the site (we already do that) >>> * Parse snort rules into regular expressions >>> * Create a grep plugin that will apply those regular >>> expressions to each HTTP response body >>> * If a match is found, then report it to the knowledge base >>> >>> What do you guys think about the idea? Anyone with snort >>> experience to weight in with some facts on how many false positives >>> are found by rules like these? Anyone knows about the licensing for >>> the rules? Can we include them into our repository? >>> >>> [0] https://github.com/andresriancho/w3af/issues/671 >>> >>> Regards, >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ >>> Web Application Attack and Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >>> >>> ------------------------------------------------------------------------------ >>> October Webinars: Code for Performance >>> Free Intel webinars can help you accelerate application performance. >>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >>> from >>> the latest Intel processors and coprocessors. See abstracts and register > >>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> W3af-develop mailing list >>> W3a...@li... >>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >> >> >> >> -- >> Andrés Riancho >> Project Leader at w3af - http://w3af.org/ >> Web Application Attack and Audit Framework >> Twitter: @w3af >> GPG: 0x93C344F3 > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 |