fix(proposals): specify correct stable falco version

Updated the stable Falco version from 0.43.0 to 0.42.1 in the deprecation policy section.

Signed-off-by: Leonardo Di Giovanna <41296180+ekoops@users.noreply.github.com>

.github/workflows/reusable_build_packages.yaml

@@ -344,6 +344,44 @@ jobs:
           path: |
             ${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz
 
+  build-win32-package:
+    if: ${{ inputs.arch == 'x86_64' }}
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Install NSIS
+        run: choco install nsis -y
+
+      # NOTE: Backslash doesn't work as line continuation on Windows.
+      - name: Prepare project
+        run: |
+          cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
+
+      - name: Build project
+        run: |
+          cmake --build build --target package --config Release
+
+      - name: Run unit Tests
+        run: |
+          build/unit_tests/Release/falco_unit_tests.exe
+
+      - name: Upload Falco win32 installer
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-installer-Release-win32.exe
+          path: build/falco-*.exe
+
+      - name: Upload Falco win32 package
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: falco-Release-win32.exe
+          path: |
+            ${{ github.workspace }}/build/userspace/falco/Release/falco.exe
+
   build-macos-package:
     if: ${{ inputs.arch == 'x86_64' }}
     runs-on: macos-latest

.github/workflows/reusable_publish_packages.yaml

@@ -82,6 +82,11 @@ jobs:
           GPG_KEY: ${{ secrets.GPG_KEY }}
         run: printenv GPG_KEY | gpg --import -
 
+      - name: Sign rpms
+        run: |
+          rpmsign --define '_gpg_name Falcosecurity Package Signing' --addsign /tmp/falco-build-rpm/falco-*.rpm
+          rpm -qp --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' /tmp/falco-build-rpm/falco-*.rpm
+
       - name: Publish wasm
         run: |
           ./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz

CMakeLists.txt

@@ -288,12 +288,6 @@ if(NOT WIN32
    AND NOT MUSL_OPTIMIZED_BUILD
 )
 	include(falcoctl)
-	set(CONTAINER_VERSION "0.6.1")
-	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-		set(CONTAINER_HASH "008989992ed1f31b3ffb94ba6b64ca5a8e2f91611a10c9d6213c5c0a499d0679")
-	else() # arm64
-		set(CONTAINER_HASH "f90a700b4c2b411b23e7cc461b61a316b242994aad853c3e6baf12481fb6f6c9")
-	endif()
 	include(container_plugin)
 
 	# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "9.1.0+driver")
+		set(DRIVER_VERSION "9e6a8ccd4e4f5796f45ad486decd00b4996129b7")
 		set(DRIVER_CHECKSUM
-			"SHA256=14cba5b610bf48cd0a0a94b1156ed86bfb552c7ed24b68b1028360fa3af18cbb"
+			"SHA256=87902814e29718529094b89ff2a3ddbd4ee7aa77da824d4acbaad0d863e04ce9"
 		)
 	endif()
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.12.1")
+	set(FALCOCTL_VERSION "0.11.4")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "dca157ce150dff084479cfcebf2b4cee455a7d2c6473e189f3b159c74251f982")
+		set(FALCOCTL_HASH "8015cadcb4328abcbf140c3ca88031cd46426f7f3279d2802f0937ab1e41d66c")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "580833ecb0776ede67096ae2ac621ab78761454fdee7bffdeeed0889a45f24bd")
+		set(FALCOCTL_HASH "246874f1168abb7a8463509c6191ede460e5a2b8a39058ef5c4a17b67cb86c85")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "0.23.1")
+		set(FALCOSECURITY_LIBS_VERSION "9e6a8ccd4e4f5796f45ad486decd00b4996129b7")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=38c580626b072ed24518e8285a629923c8c4c6d6794b91b3b93474db7fd85cf7"
+			"SHA256=87902814e29718529094b89ff2a3ddbd4ee7aa77da824d4acbaad0d863e04ce9"
 		)
 	endif()
 

docker/driver-loader-buster/Dockerfile

@@ -17,12 +17,11 @@ LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc
 ARG TARGETARCH
 
 ARG VERSION_BUCKET=deb
-ARG HOST_ROOT=/host
-ARG HOME=/root
-ENV FALCO_VERSION="${FALCO_VERSION}" \
-    VERSION_BUCKET="${VERSION_BUCKET}" \
-    HOST_ROOT="${HOST_ROOT}" \
-    HOME="${HOME}"
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV HOST_ROOT=/host
+ENV HOME=/root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
@@ -137,6 +136,6 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 	&& dpkg -i *binutils*.deb \
 	&& rm -f *binutils*.deb
 
-COPY docker/driver-loader-buster/docker-entrypoint.sh /
+COPY ./docker/driver-loader-buster/docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]

docker/falco-debian/Dockerfile

@@ -15,15 +15,14 @@ LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
 
 ARG VERSION_BUCKET=deb
-ARG HOST_ROOT=/host
-ARG HOME=/root
 
-ENV FALCO_VERSION="${FALCO_VERSION}" \
-    VERSION_BUCKET="${VERSION_BUCKET}" \
-    HOST_ROOT="${HOST_ROOT}" \
-    HOME="${HOME}"
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
 
-RUN apt-get -y update && apt-get -y install curl jq ca-certificates gnupg2 \
+ENV HOST_ROOT=/host
+ENV HOME=/root
+
+RUN apt-get -y update && apt-get -y install ca-certificates curl jq ca-certificates gnupg2 \
 	&& apt clean -y && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /
@@ -36,6 +35,6 @@ RUN curl -s https://falco.org/repo/falcosecurity-packages.asc | apt-key add - \
 	&& rm -rf /var/lib/apt/lists/*
 
 # Change the falco config within the container to enable ISO 8601 output.
-ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 CMD ["/usr/bin/falco"]

docker/falco/Dockerfile

@@ -16,26 +16,22 @@ LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run
 # NOTE: for the "least privileged" use case, please refer to the official documentation
 
 ARG VERSION_BUCKET=bin
-ARG HOST_ROOT=/host
-ARG HOME=/root
 
-ENV FALCO_VERSION="${FALCO_VERSION}" \
-    VERSION_BUCKET="${VERSION_BUCKET}" \
-    HOST_ROOT="${HOST_ROOT}" \
-    HOME="${HOME}"
+ENV FALCO_VERSION=${FALCO_VERSION}
+ENV VERSION_BUCKET=${VERSION_BUCKET}
+ENV HOST_ROOT=/host
+ENV HOME=/root
 
 RUN apk update && apk add curl ca-certificates jq libstdc++
 
 WORKDIR /
 
-RUN ARCH=$(uname -m) && \
-    FALCO_VERSION_URLENCODED=$(echo -n "${FALCO_VERSION}" | jq -sRr @uri) && \
-    echo "Downloading Falco ${FALCO_VERSION} for ${ARCH}" && \
+RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
     curl -L -o falco.tar.gz \
-    https://download.falco.org/packages/${VERSION_BUCKET}/${ARCH}/falco-${FALCO_VERSION_URLENCODED}-${ARCH}.tar.gz && \
+    https://download.falco.org/packages/${VERSION_BUCKET}/$(uname -m)/falco-${FALCO_VERSION_URLENCODED}-$(uname -m).tar.gz && \
     tar -xvf falco.tar.gz && \
     rm -f falco.tar.gz && \
-    mv falco-${FALCO_VERSION}-${ARCH} falco && \
+    mv falco-${FALCO_VERSION}-$(uname -m) falco && \
     rm -rf /falco/usr/src/falco-* && \
     cp -r /falco/* / && \
     rm -rf /falco && \
@@ -43,6 +39,6 @@ RUN ARCH=$(uname -m) && \
 
 
 # Change the falco config within the container to enable ISO 8601 output.
-ADD config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
+ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
 CMD ["/usr/bin/falco"]

falco.yaml

@@ -70,9 +70,9 @@
 #     file_output [Stable]
 #     http_output [Stable]
 #     program_output [Stable]
-#     grpc_output [Deprecated]
+#     grpc_output [Stable]
 # Falco exposed services
-#     grpc [Deprecated]
+#     grpc [Stable]
 #     webserver [Stable]
 # Falco logging / alerting / metrics related to software functioning (basic)
 #     log_stderr [Stable]
@@ -282,14 +282,12 @@ rules_files:
 #
 # -- Falco supports different engines to generate events.
 # Choose the appropriate engine kind based on your system's configuration and requirements.
-# DEPRECATION NOTICE: the Legacy eBPF probe and the gVisor engine are currently deprecated. Consider using other
-# engines.
 #
 # Available engines:
 # - `kmod`: Kernel Module
-# - `ebpf`: Legacy eBPF probe (deprecated)
+# - `ebpf`: Legacy eBPF probe
 # - `modern_ebpf`: Modern eBPF (CO-RE eBPF probe)
-# - `gvisor`: gVisor sandbox (deprecated)
+# - `gvisor`: gVisor sandbox
 # - `replay`: Replay a scap trace file
 # - `nodriver`: No driver is injected into the system.
 #   This is useful to debug and to run plugins with 'syscall' source.
@@ -440,8 +438,7 @@ engine:
   kmod:
     buf_size_preset: 4
     drop_failed_exit: false
-  # -- Engine-specific configuration for Legacy eBPF (ebpf) engine. DEPRECATION NOTICE: the Legacy eBPF engine is
-  # deprecated.
+  # -- Engine-specific configuration for Legacy eBPF (ebpf) engine.
   ebpf:
     # -- Path to the elf file to load.
     probe: ${HOME}/.falco/falco-bpf.o
@@ -456,7 +453,7 @@ engine:
   replay:
     # -- Path to the capture file to replay (eg: /path/to/file.scap)
     capture_file: ""
-  # -- Engine-specific configuration for gVisor (gvisor) engine. DEPRECATION NOTICE: the gVisor engine is deprecated.
+  # -- Engine-specific configuration for gVisor (gvisor) engine.
   gvisor:
     # -- A Falco-compatible configuration file can be generated with
     # '--gvisor-generate-config' and utilized for both runsc and Falco.
@@ -801,7 +798,7 @@ append_output:
 # Falco outputs channels #
 ##########################
 
-# Falco supports various output channels, such as syslog, stdout, file, gRPC (deprecated),
+# Falco supports various output channels, such as syslog, stdout, file, gRPC,
 # webhook, and more. You can enable or disable these channels as needed to
 # control where Falco alerts and log messages are directed. This flexibility
 # allows seamless integration with your preferred logging and alerting systems.
@@ -897,14 +894,14 @@ program_output:
   # -- The program to execute.
   program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
 
-# [Deprecated] `grpc_output`
+# [Stable] `grpc_output`
 #
-# -- Use gRPC as an output service. DEPRECATION NOTICE: The gRPC output is deprecated. Consider using other outputs.
+# -- Use gRPC as an output service.
 #
 # gRPC is a modern and high-performance framework for remote procedure calls
 # (RPC). It utilizes protocol buffers for efficient data serialization. The gRPC
 # output in Falco provides a modern and efficient way to integrate with other
-# systems. By default, the setting is turned off. Enabling this option stores
+# systems. By default the setting is turned off. Enabling this option stores
 # output events in memory until they are consumed by a gRPC client. Ensure that
 # you have a consumer for the output events or leave it disabled.
 grpc_output:
@@ -915,10 +912,7 @@ grpc_output:
 # Falco exposed services #
 ##########################
 
-# [Deprecated] `grpc`
-#
-# -- A gRPC server (needed by the gRPC output). DEPRECATION NOTICE: The gRPC server is deprecated as a consequence of
-# the gRPC output deprecation.
+# [Stable] `grpc`
 #
 # Falco provides support for running a gRPC server using two main binding types:
 # 1. Over the network with mandatory mutual TLS authentication (mTLS), which

proposals/20251215-legacy-bpf-grpc-output-gvisor-engine-deprecation.md

@@ -102,7 +102,7 @@ The deprecation of these components introduces user-facing changes that must be
 deprecation policy for "non-backward compatible user-facing changes" (see
 [20231220-features-adoption-and-deprecation.md#deprecation-policy](./20231220-features-adoption-and-deprecation.md#deprecation-policy)).
 
-All components are stable, and given that the current stable Falco version is `0.43.0` (ante `1.0.0`), the minimum
+All components are stable, and given that the current stable Falco version is `0.42.1` (ante `1.0.0`), the minimum
 deprecation period length is 1 release: this means that components cannot be removed before Falco `0.44.0`.
 
 At high level, the action plan is to inform users, during the deprecation period, about the deprecation: this is

scripts/publish-rpm

@@ -14,16 +14,6 @@ check_program() {
   fi
 }
 
-# Sign RPM packages with embedded GPG signature using rpmsign
-#
-# $@: paths of RPM files to sign.
-rpmsign_packages() {
-    echo "Signing RPM packages with rpmsign..."
-    rpmsign --define '_gpg_name Falcosecurity Package Signing' --resign "$@"
-    echo "Verifying RPM signatures..."
-    rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}: %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n' "$@"
-}
-
 # Updates the signature of a RPM package in the local repository
 #
 # $1: path of the repository.
@@ -137,8 +127,6 @@ fi
 check_program createrepo
 check_program gpg
 check_program aws
-check_program rpmsign
-check_program rpm
 
 # settings
 s3_bucket_repo="s3://falco-distribution/packages/${repo}"
@@ -152,32 +140,19 @@ aws s3 cp ${s3_bucket_repo} ${tmp_repo_path} --recursive
 
 # update signatures for all existing packages
 if [ "${sign_all}" ]; then
-  # collect all RPM files
-  rpm_files=()
   for file in ${tmp_repo_path}/*; do
-    if [ -f "$file" ] && [[ $file == *.rpm ]]; then
-      rpm_files+=("$file")
+    if [ -f "$file" ]; then # exclude directories, symlinks, etc...
+      if [[ ! $file == *.asc ]]; then # exclude signature files
+        package=$(basename -- ${file})
+        echo "Signing ${package}..."
+        sign_rpm ${tmp_repo_path} ${file}
+
+        echo "Syncing ${package}.asc to ${s3_bucket_repo}..."
+        aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
+      fi
     fi
   done
-
-  # sign all RPM packages with embedded GPG signature
-  if [ ${#rpm_files[@]} -gt 0 ]; then
-    rpmsign_packages "${rpm_files[@]}"
-  fi
-
-  # create detached signatures and upload
-  for file in "${rpm_files[@]}"; do
-    package=$(basename -- ${file})
-    echo "Creating detached signature for ${package}..."
-    sign_rpm ${tmp_repo_path} ${file}
-
-    echo "Syncing ${package} and ${package}.asc to ${s3_bucket_repo}..."
-    aws s3 cp ${tmp_repo_path}/${package} ${s3_bucket_repo}/${package} --acl public-read
-    aws s3 cp ${tmp_repo_path}/${package}.asc ${s3_bucket_repo}/${package}.asc --acl public-read
-  done
-  aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.rpm
   aws cloudfront create-invalidation --distribution-id ${AWS_CLOUDFRONT_DIST_ID} --paths ${cloudfront_path}/*.asc
-  update_repo ${tmp_repo_path}
   sign_repo ${tmp_repo_path}
 fi
 
@@ -186,9 +161,8 @@ if [[ ${repo} == "rpm-dev" ]]; then
   reduce_dir_size ${tmp_repo_path} 10 rpm
 fi
 
-# sign and add new packages to the repo
+# update the repo by adding new packages
 if ! [ ${#files[@]} -eq 0 ]; then
-  rpmsign_packages "${files[@]}"
   for file in "${files[@]}"; do
     echo "Adding ${file}..."
     add_rpm ${tmp_repo_path} ${file}

userspace/engine/rule_loader.h

@@ -215,8 +215,7 @@ struct deprecated_field_warning : warning {
 	        df(df) {}
 
 	std::string as_string() const override {
-		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df) +
-		       "'";
+		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df);
 	};
 	std::string description() const override {
 		return warning::description() + ": " + falco::load_result::deprecated_field_desc(df);

userspace/falco/configuration.cpp

@@ -254,12 +254,6 @@ void falco_configuration::load_engine_config(const std::string &config_name) {
 		                       driver_mode_str + "' is not a valid kind.");
 	}
 
-	if(m_engine_mode == engine_kind_t::EBPF || m_engine_mode == engine_kind_t::GVISOR) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "Using deprecated engine '" + driver_mode_str +
-		                          "'. Please consider switching to another engine.");
-	}
-
 	switch(m_engine_mode) {
 	case engine_kind_t::KMOD:
 		m_kmod.m_buf_size_preset = m_config.get_scalar<int16_t>("engine.kmod.buf_size_preset",
@@ -479,11 +473,6 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_grpc_enabled = m_config.get_scalar<bool>("grpc.enabled", false);
-	if(m_grpc_enabled) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "Using deprecated gRPC server (deprecated as consequence of gRPC output "
-		                  "deprecation).");
-	}
 	m_grpc_bind_address = m_config.get_scalar<std::string>("grpc.bind_address", "0.0.0.0:5060");
 	m_grpc_threadiness = m_config.get_scalar<uint32_t>("grpc.threadiness", 0);
 	if(m_grpc_threadiness == 0) {
@@ -499,13 +488,8 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 
 	falco::outputs::config grpc_output;
 	grpc_output.name = "grpc";
-	const auto grpc_output_enabled = m_config.get_scalar<bool>("grpc_output.enabled", true);
-	if(grpc_output_enabled) {
-		falco_logger::log(falco_logger::level::WARNING,
-		                  "Using deprecated gRPC output. Please consider using other outputs.");
-	}
 	// gRPC output is enabled only if gRPC server is enabled too
-	if(grpc_output_enabled && m_grpc_enabled) {
+	if(m_config.get_scalar<bool>("grpc_output.enabled", true) && m_grpc_enabled) {
 		m_outputs.push_back(grpc_output);
 	}
 

userspace/falco/outputs_program.cpp

@@ -16,22 +16,12 @@ limitations under the License.
 */
 
 #include "outputs_program.h"
-#include "logger.h"
 #include <stdio.h>
-#include <cerrno>
-#include <cstring>
 
 void falco::outputs::output_program::open_pfile() {
 	if(m_pfile == nullptr) {
 		m_pfile = popen(m_oc.options["program"].c_str(), "w");
 
-		if(m_pfile == nullptr) {
-			falco_logger::log(falco_logger::level::ERR,
-			                  "Failed to open program output: " + m_oc.options["program"] +
-			                          " (error: " + std::string(std::strerror(errno)) + ")");
-			return;
-		}
-
 		if(!m_buffered) {
 			setvbuf(m_pfile, NULL, _IONBF, 0);
 		}
@@ -41,9 +31,7 @@ void falco::outputs::output_program::open_pfile() {
 void falco::outputs::output_program::output(const message *msg) {
 	open_pfile();
 
-	if(m_pfile != nullptr) {
-		fprintf(m_pfile, "%s\n", msg->msg.c_str());
-	}
+	fprintf(m_pfile, "%s\n", msg->msg.c_str());
 
 	if(m_oc.options["keep_alive"] != "true") {
 		cleanup();

userspace/falco/outputs_program.h

@@ -32,7 +32,7 @@ class output_program : public abstract_output {
 private:
 	void open_pfile();
 
-	FILE *m_pfile = nullptr;
+	FILE *m_pfile;
 };
 
 }  // namespace outputs