fix(userspace/falco): correct default duration calculation

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>

.github/workflows/reusable_build_packages.yaml

@@ -31,7 +31,7 @@ on:
         type: boolean
         default: false
 
-permissions:
+permissions:  
   contents: read
 
 jobs:
@@ -73,8 +73,8 @@ jobs:
 
       - name: Install systemd rpm macros
         run: |
-          wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-59.el9.noarch.rpm
-          sudo alien -d -i systemd-rpm-macros-252-59.el9.noarch.rpm
+          wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-51.el9.noarch.rpm
+          sudo alien -d -i systemd-rpm-macros-252-51.el9.noarch.rpm
 
       - name: Checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

CHANGELOG.md

@@ -1,82 +1,5 @@
 # Change Log
 
-## v0.42.0
-
-Released on 2025-10-22
-
-
-### Major Changes
-
-* feat: add `falco_libs.thread_table_auto_purging_interval_s` and `thread_table_auto_purging_thread_timeout_s` configuration options [[#3670](https://github.com/falcosecurity/falco/pull/3670)] - [@ekoops](https://github.com/ekoops)
-* feat: log plugin version info at loading time [[#3657](https://github.com/falcosecurity/falco/pull/3657)] - [@FedeDP](https://github.com/FedeDP)
-* feat: ability to add statically defined fields via `static_fields` configuration [[#3557](https://github.com/falcosecurity/falco/pull/3557)] - [@FedeDP](https://github.com/FedeDP)
-* feat(engine): emit warning when a rule containing the `evt.dir` field in output is encountered [[#3697](https://github.com/falcosecurity/falco/pull/3697)] - [@irozzo-1A](https://github.com/irozzo-1A)
-* feat(engine): emit warning when a rule containing a condition on the deprecated `evt.dir` field is encountered [[#3690](https://github.com/falcosecurity/falco/pull/3690)] - [@irozzo-1A](https://github.com/irozzo-1A)
-* new: ability to record `.scap` files (capture feature) [[#3645](https://github.com/falcosecurity/falco/pull/3645)] - [@leogr](https://github.com/leogr)
-* new(docker): includes sha on the image labels [[#3658](https://github.com/falcosecurity/falco/pull/3658)] - [@jcchavezs](https://github.com/jcchavezs)
-* new(cmake,userspace,ci): add mimalloc support [[#3616](https://github.com/falcosecurity/falco/pull/3616)] - [@FedeDP](https://github.com/FedeDP)
-
-
-### Minor Changes
-
-* docs(falco.yaml): refactor config documentation [[#3685](https://github.com/falcosecurity/falco/pull/3685)] - [@leogr](https://github.com/leogr)
-* build: fix `debian:buster` apt debian repo URL in `:driver-loader-buster` container image [[#3644](https://github.com/falcosecurity/falco/pull/3644)] - [@ekoops](https://github.com/ekoops)
-* build: updagrade libs to version 0.22.1 [[#3705](https://github.com/falcosecurity/falco/pull/3705)] - [@irozzo-1A](https://github.com/irozzo-1A)
-* build: upgrade drivers to v9.0.0+driver [[#3701](https://github.com/falcosecurity/falco/pull/3701)] - [@irozzo-1A](https://github.com/irozzo-1A)
-* build: upgrade cpp-httplib to v0.23.1 [[#3647](https://github.com/falcosecurity/falco/pull/3647)] - [@FedeDP](https://github.com/FedeDP)
-* update: upgrade default ruleset to v5.0.0 [[#3700](https://github.com/falcosecurity/falco/pull/3700)] - [@leogr](https://github.com/leogr)
-* build: upgrade `falcoctl` to v0.11.4 [[#3694](https://github.com/falcosecurity/falco/pull/3694)] - [@leogr](https://github.com/leogr)
-* chore(prometheus): deprecate enter events drop stats [[#3675](https://github.com/falcosecurity/falco/pull/3675)] - [@irozzo-1A](https://github.com/irozzo-1A)
-
-
-### Bug Fixes
-
-* fix(cmake): correct abseil-cpp for alpine build [[#3598](https://github.com/falcosecurity/falco/pull/3598)] - [@RomanenkoDenys](https://github.com/RomanenkoDenys)
-* fix: enable handling of multiple actions configured with `syscall_event_drops.actions` [[#3676](https://github.com/falcosecurity/falco/pull/3676)] - [@terror96](https://github.com/terror96)
-* fix: disable dry-run restarts when Falco runs with config-watching disabled [[#3640](https://github.com/falcosecurity/falco/pull/3640)] - [@Proximyst](https://github.com/Proximyst)
-
-
-
-### Non user-facing changes
-
-* fix(userspace/falco): correct default duration calculation [[#3715](https://github.com/falcosecurity/falco/pull/3715)] - [@leogr](https://github.com/leogr)
-* chore(falcoctl): update falco rules to version 5 [[#3712](https://github.com/falcosecurity/falco/pull/3712)] - [@irozzo-1A](https://github.com/irozzo-1A)
-* doc(OWNERS): move incertum (Melissa Kilby) to emeritus_approvers [[#3605](https://github.com/falcosecurity/falco/pull/3605)] - [@incertum](https://github.com/incertum)
-* update(cmake): update libs and driver to latest master [[#3689](https://github.com/falcosecurity/falco/pull/3689)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* chore(docker): use new `ENV` syntax in place of deprecated one [[#3696](https://github.com/falcosecurity/falco/pull/3696)] - [@ekoops](https://github.com/ekoops)
-* chore(cmake/modules): update rules to 5.0.0-rc1 [[#3698](https://github.com/falcosecurity/falco/pull/3698)] - [@leogr](https://github.com/leogr)
-* fix(userspace/engine): fix logger date format [[#3672](https://github.com/falcosecurity/falco/pull/3672)] - [@ekoops](https://github.com/ekoops)
-* docs(OWNERS): add `ekoops`(Leonardo Di Giovanna) as approver [[#3688](https://github.com/falcosecurity/falco/pull/3688)] - [@ekoops](https://github.com/ekoops)
-* update(cmake): update libs and driver to latest master [[#3665](https://github.com/falcosecurity/falco/pull/3665)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* Refactor: cppcheck cleanups [[#3649](https://github.com/falcosecurity/falco/pull/3649)] - [@sgaist](https://github.com/sgaist)
-* update(userspace/engine): update falco engine version and checksum [[#3648](https://github.com/falcosecurity/falco/pull/3648)] - [@ekoops](https://github.com/ekoops)
-* update(cmake): update libs and driver to latest master [[#3662](https://github.com/falcosecurity/falco/pull/3662)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* update(cmake): update libs and driver to latest master [[#3661](https://github.com/falcosecurity/falco/pull/3661)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* update(cmake): update libs and driver to latest master [[#3653](https://github.com/falcosecurity/falco/pull/3653)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* chore(ci): disable mimalloc for master builds. [[#3655](https://github.com/falcosecurity/falco/pull/3655)] - [@FedeDP](https://github.com/FedeDP)
-* chore(deps): Bump submodules/falcosecurity-rules from `1208816` to `be38001` [[#3651](https://github.com/falcosecurity/falco/pull/3651)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* docs(falco.yaml): avoid out-of-sync config options for `container` pl… [[#3650](https://github.com/falcosecurity/falco/pull/3650)] - [@leogr](https://github.com/leogr)
-* update(cmake): update libs and driver to latest master [[#3636](https://github.com/falcosecurity/falco/pull/3636)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* update(CHANGELOG.md): release 0.41.3 (cherry-pick) [[#3634](https://github.com/falcosecurity/falco/pull/3634)] - [@ekoops](https://github.com/ekoops)
-* update(cmake): update libs and driver to latest master [[#3628](https://github.com/falcosecurity/falco/pull/3628)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* update(CHANGELOG.md): release 0.41.2 (cherry-pick) [[#3623](https://github.com/falcosecurity/falco/pull/3623)] - [@ekoops](https://github.com/ekoops)
-* update(cmake): update libs and driver to latest master [[#3618](https://github.com/falcosecurity/falco/pull/3618)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* update(cmake): update libs and driver to latest master [[#3602](https://github.com/falcosecurity/falco/pull/3602)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* chore(falco.yaml): clean up plugins config leftover [[#3596](https://github.com/falcosecurity/falco/pull/3596)] - [@leogr](https://github.com/leogr)
-* chore(deps): Bump submodules/falcosecurity-rules from `b4437c4` to `4d51b18` [[#3607](https://github.com/falcosecurity/falco/pull/3607)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-* update(docs): cherry pick CHANGELOG. [[#3600](https://github.com/falcosecurity/falco/pull/3600)] - [@FedeDP](https://github.com/FedeDP)
-* update(cmake): update libs and driver to latest master [[#3592](https://github.com/falcosecurity/falco/pull/3592)] - [@github-actions[bot]](https://github.com/apps/github-actions)
-* update(docs): bumped changelog for release 0.41.0, master sync [[#3586](https://github.com/falcosecurity/falco/pull/3586)] - [@FedeDP](https://github.com/FedeDP)
-* chore(deps): Bump submodules/falcosecurity-rules from `cb17833` to `b4437c4` [[#3578](https://github.com/falcosecurity/falco/pull/3578)] - [@dependabot[bot]](https://github.com/apps/dependabot)
-
-### Statistics
-
-|   MERGED PRS    | NUMBER |
-|-----------------|--------|
-| Not user-facing |     29 |
-| Release note    |     23 |
-| Total           |     52 |
-
 ## v0.41.3
 
 Released on 2025-07-01

RELEASE.md

@@ -87,10 +87,10 @@ Before proceeding with the release, make sure to complete the following preparat
 - Double-check, by using the following filters, if there is any closed issue/merge PR with no milestone assigned:
   - `is:issue state:closed no:milestone closed:>YYYY-MM-DD`
     [filter](https://github.com/falcosecurity/falco/issues?q=is%3Aissue%20state%3Aclosed%20no%3Amilestone%20closed%3A%3EYYYY-MM-DD)
-  - `is:pr is:merged no:milestone closed:>YYYY-MM-DD`
+  - `is:pr state:closed no:milestone closed:>YYYY-MM-DD`
     [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD)
 - Assign any issue/PR identified in the previous point to the milestone corresponding to the currently undergoing release
-- Check the release note block of every PR matching the `is:pr is:merged milestone:M.m.p` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+milestone%3AM.m.p)
+- Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
 
@@ -116,7 +116,7 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` updates itself automatically
 - Generate the change log using [rn2md](https://github.com/leodido/rn2md):
-    - Execute `rn2md -r falcosecurity/falco -m M.m.p`
+    - Execute `rn2md -r falcosecurity/falco -m M.m.p -b release/M.m.x`
     - In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
@@ -129,18 +129,16 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
 Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release
 is live for development and testing purposes.
 
-The pre-release must be associated with a newly created tag. The tag is intended to be created while drafting the new pre-release through the GitHub form (this is indeed the only way to correctly associate the tag with a target branch; more on this below).
-The pre-release tag must be formatted as `M.m.p-r`, where `r` is the pre-release version information (e.g. `0.35.0-rc1`).
+The prerelease tag must be formatted as `M.m.p-r` where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
 
-To create both pre-release tag and pre-release, do the following:
+To do so:
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
-- Use `M.m.p-r` both as tag version and release title
-- Associate `release/M.m.x` as "target branch" for the new tag
+- Use `M.m.p-r` both as tag version and release title.
 - Check the "Set as a pre-release" checkbox and make sure "Set as the latest release" is unchecked
 - It is recommended to add a brief description so that other contributors will understand the reason why the prerelease is published
 - Publish the prerelease!
-- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag
+- The release pipeline will start automatically. Packages will be uploaded to the `-dev` bucket and container images will be tagged with the specified tag.
 
 In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.
 
@@ -152,7 +150,6 @@ Assume `M.m.p` is the new version.
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `M.m.p` both as tag version and release title
-- Associate `release/M.m.x` as "target branch" for the new tag
 - Do NOT fill body, since it will be autogenerated by the [github release workflow](.github/workflows/release.yaml)
 - Publish the release!
 - The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.

cmake/cpack/debian/conffiles

@@ -1,3 +1,3 @@
 /etc/falco/falco.yaml
+/etc/falco/falcoctl.yaml
 /etc/falco/falco_rules.local.yaml
-/etc/falcoctl/falcoctl.yaml

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "9e6a8ccd4e4f5796f45ad486decd00b4996129b7")
+		set(DRIVER_VERSION "9.0.0+driver")
 		set(DRIVER_CHECKSUM
-			"SHA256=87902814e29718529094b89ff2a3ddbd4ee7aa77da824d4acbaad0d863e04ce9"
+			"SHA256=ef563fe19f9cdbdfcf17cee3e83c79e8387b78a87e0593eb3e2787c9b8540113"
 		)
 	endif()
 

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "9e6a8ccd4e4f5796f45ad486decd00b4996129b7")
+		set(FALCOSECURITY_LIBS_VERSION "0.22.1")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=87902814e29718529094b89ff2a3ddbd4ee7aa77da824d4acbaad0d863e04ce9"
+			"SHA256=12fe0a85c77eecda8b3cd8e192fe4c0dde37e4d9b938d27e9d3433728beca67b"
 		)
 	endif()
 

docker/falco/Dockerfile

@@ -34,11 +34,12 @@ RUN FALCO_VERSION_URLENCODED=$(echo -n ${FALCO_VERSION}|jq -sRr @uri) && \
     mv falco-${FALCO_VERSION}-$(uname -m) falco && \
     rm -rf /falco/usr/src/falco-* && \
     cp -r /falco/* / && \
-    rm -rf /falco && \
-    rm -rf /usr/bin/falcoctl /etc/falcoctl/
-
+    rm -rf /falco
 
 # Change the falco config within the container to enable ISO 8601 output.
 ADD ./config/falco.iso8601_timeformat.yaml /etc/falco/config.d/
 
+# Falcoctl is not included here.
+RUN rm -rf /usr/bin/falcoctl /etc/falcoctl/
+
 CMD ["/usr/bin/falco"]

proposals/20251215-legacy-bpf-grpc-output-gvisor-engine-deprecation.md

@@ -1,127 +0,0 @@
-# Legacy eBPF probe, gVisor libscap engine and gRPC output deprecations
-
-## Summary
-
-This proposal aims to formalize motivations and procedures for deprecating the legacy eBPF probe, the gRPC output and
-the gVisor libscap engine.
-
-One of the key objectives of Falco is to maintain a seamless user experience, regardless of the system call event source
-actually used. This objective imposes strong requirements among all drivers and engines acting as system call source
-(i.e.: gVisor libscap engine), feature parity, among each other, above all. Feature parity raises challenges from both
-technical and maintainability perspectives, and these challenges are not justified if the driver/engine is no/little
-used. For these reasons, this document aims for raising consensus regarding the legacy eBPF probe and gRPC output
-deprecation.
-
-Similar arguments could be raised in favor of the gRPC output deprecation: this output requires dependency on the
-gRPC framework, that introduces a non-negligible build time overhead and maintainability burden (especially in a C++
-codebase), not justified by the little usage of the output.
-
-Upcoming evidences of non-negligible use of the gVisor engine and the gRPC output could be addressed by providing a
-separate source plugin in case of gVisor, and a Falco Sidekick output as a replacement of the gRPC output.
-
-## Motivation
-
-### Legacy eBPF probe deprecation
-
-The following matrix details the current minimum kernel version officially supported by each driver, for each
-architecture:
-
-|             | Kernel module                                                                                | legacy eBPF probe                                                                           | Modern eBPF probe | Status |
-| ----------- |----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------| ----------------- | ------ |
-| **x86_64**  | >= 3.10                                                                                        | >= 4.14                                                                                     | >= 5.8            | _STABLE_ |
-| **aarch64** | >= [3.16](https://github.com/torvalds/linux/commit/055b1212d141f1f398fca548f8147787c0b6253f) | >= 4.17                                                                                     | >= 5.8            | _STABLE_ |
-| **s390x**   | >= 3.10                                                                                        | >= [5.5](https://github.com/torvalds/linux/commit/6ae08ae3dea)                              | >= 5.8            | _EXPERIMENTAL_ |
-| **riscv64** | >= [5.0](https://github.com/torvalds/linux/commit/5aeb1b36cedd3a1dfdbfe368629fed52dee34103)  | N/A                                                                                         | N/A               | _EXPERIMENTAL_ |
-| **ppc64le** | >= 3.10                                                                                        | >= [5.1](https://github.com/torvalds/linux/commit/ed1cd6deb013a11959d17a94e35ce159197632da) | >= 5.8               | _STABLE_ |
-
-The legacy eBPF probe strives to provide a little more coverage than the modern eBPF one. This increased coverage comes
-at cost of flexibility and maintainability. Indeed:
-1. it cannot leverage CORE eBPF features - as a result, falcosecurity must maintain a great number of officially
-supported eBPF objects, each one built for a specific officially-supported kernel flavor; this increases the
-maintainability burden and makes the system less flexible to kernel configurations/structures changes
-2. old kernel versions support is difficult to retain - the verifier imposes huge limitations on old kernel versions,
-and any tiny change easily result in the verifier rejecting the code
-3. it is difficult to keep it up to date with other drivers - some desired features cannot be implemented in any way
-using eBPF on old kernel flavors, due to lack of eBPF helpers/program types or verifier limitations (e.g.: there is no
-way of implementing a synchronous data harvesting mechanism like the one provided by BPF iterators). As falcosecurity
-strives for feature parity among drivers, this imposes a big limitation on the other drivers. Please notice that:
-   1. the kernel module is unconstrained on the nature of feature it can support
-   2. the modern eBPF probe can easily rely on CORE features to probe for kernel features and use them if available
-
-Besides the above, the legacy eBPF probe provides support for a range of versions that is entirely contained by the
-kernel module supported range. Additionally, different distro kernel flavors already back-port features required by the
-modern eBPF, enabling its usage on kernel older than `5.8`.
-
-The above considerations, together with the evidence of its little usage, make the legacy eBPF probe a good candidate
-for deprecation.
-
-### gVisor libscap engine deprecation
-
-gVisor libscap engine implements a system call event source by leveraging events coming from gVisor itself through gRPC.
-
-There is evidence that this engine is little used. Moreover, gVisor doesn't provide all information required to build
-all supported event types, indeed resulting in a system call source not completely equivalent to the ones provided by
-drivers. Finally, it requires `falcosecurity/libs` being dependent on protobuf, this latter introducing a non-negligible
-build time overhead and maintainability burden.
-
-Deprecating it would allow to streamline system call event sources alignment, maintainability, and reduce build time for
-both `falcosecurity/falco` and `falcosecurity/libs`.
-
-### gRPC output deprecation
-
-The gRPC output provides a mechanism through which a gRPC client can subscribe to the Falco alerts stream. This output
-leverages a gRPC server embedded into Falco.
-
-As for the legacy eBPF probe and the gVisor libscap engine, there is evidence that this output is little used. Also,
-similarly to the gVisor libscap engine, this requires Falco being dependent on the protobuf, and additionally, on the
-entire C++ gRPC framework. Finally, the little amount of data that is sent through the gRPC stream, and the
-communication model (only involving a one-way communication from the server to the client) doesn't justify the need of
-using gRPC.
-
-Deprecating it would allow to reduce the build system, streamline maintainability, and reduce build time for
-`falcosecurity/falco`.
-
-## Goals
-
-* Deprecate the legacy eBPF probe, the gVisor libscap engine, and the gRPC output
-* Detail a plan to follow during the deprecation period, before completely remove any of the aforementioned components
-
-## Non-goals
-
-* Implement a gVisor source plugin as gVisor libscap engine alternative
-* Implement the gRPC output as Falco Sidekick output
-* Detail a plan to follow after taking the decision to completely remove any of the aforementioned components
-
-## The plan
-
-This section aims to detail the plan to follow contextually and after the deprecation mark, but before taking any
-definitive removal decision about the legacy eBPF probe, the gVisor libscap engine, and the gRPC output (collectively
-referred to hereinafter as "the components" or simply "components").
-
-The deprecation of these components introduces user-facing changes that must be addressed as prescribed by the current
-deprecation policy for "non-backward compatible user-facing changes" (see
-[20231220-features-adoption-and-deprecation.md#deprecation-policy](./20231220-features-adoption-and-deprecation.md#deprecation-policy)).
-
-All components are stable, and given that the current stable Falco version is `0.42.1` (ante `1.0.0`), the minimum
-deprecation period length is 1 release: this means that components cannot be removed before Falco `0.44.0`.
-
-At high level, the action plan is to inform users, during the deprecation period, about the deprecation: this is
-achieved by emitting a deprecation notice if the user try to leverage any of the feature exposed by any component, and
-by updating the website in any of the relevant areas.
-
-During the deprecation period, but before taking decision to remove the components, projects belonging to the
-`falcosecurity` organization will be updated to not use/rely on any of these. Specifically:
-- on `falcosecurity/libs`, any CI job building and testing the legacy eBPF probe will be removed
-- on `falcosecurity/kernel-testing`, playbooks will not build and test the legacy eBPF probe anymore
-- on `falcosecurity/event-generator`, the internal gRPC alert retriever will be replaced with an HTTP alert retriever,
-leveraging the existing HTTP output.
-
-## The non-plan
-
-This proposal does not address any design or implementation aspect of the gVisor engine and gRPC output replacement, nor
-formalizes in any way the conditions under which a replacement should be delivered. Upcoming evidences of non-negligible
-use of the gVisor engine and the gRPC output may be addressed by providing a separate source plugin in case of gVisor,
-and a Falco Sidekick output as a replacement of the gRPC output, but these latter possibilities should be intended as
-suggestions, and will not constraint in any way any related future choice.
-
-Finally, this proposal doesn't detail any aspect of the eventual removal.

scripts/falcoctl/falcoctl.yaml.in

@@ -7,7 +7,7 @@ driver:
     hostroot: "/"
 artifact:
   follow:
-    every: 168h0m0s
+    every: 6h0m0s
     falcoVersions: http://localhost:8765/versions
     refs:
     - falco-rules:5

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 58
+#define FALCO_ENGINE_VERSION_MINOR 57
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "952fa3356bfd266419810be51ae659eab48093a66da26fff3897022a9de2c08c"
+#define FALCO_ENGINE_CHECKSUM "fc2c6a925b4f7d59efd79f752ff5db2460e778ec00788213c5b7292e0a80586f"

userspace/engine/falco_load_result.cpp

@@ -143,12 +143,7 @@ const std::string& falco::load_result::warning_desc(warning_code wc) {
 	return warning_descs[static_cast<int>(wc)];
 }
 
-static const std::string deprecated_fields[] = {"evt.dir",
-                                                "evt.latency",
-                                                "evt.latency.s",
-                                                "evt.latency.ns",
-                                                "evt.latency.human",
-                                                "evt.wait_latency"};
+static const std::string deprecated_fields[] = {"evt.dir"};
 
 // Compile-time check to ensure deprecated_fields array has the correct size
 static_assert(
@@ -160,19 +155,10 @@ const std::string& falco::load_result::deprecated_field_str(deprecated_field df)
 	return deprecated_fields[static_cast<int>(df)];
 }
 
-// Shared description suffix for latency fields
-static const std::string latency_field_desc_suffix =
-        "field is not available due to the drop of enter events.";
-
 static const std::string deprecated_field_descs[] = {
         "due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = "
         ">' always evaluates to false. The rule expression can be simplified by removing the "
-        "condition on 'evt.dir'",
-        latency_field_desc_suffix,
-        latency_field_desc_suffix,
-        latency_field_desc_suffix,
-        latency_field_desc_suffix,
-        latency_field_desc_suffix};
+        "condition on 'evt.dir'"};
 
 // Compile-time check to ensure deprecated_field_descs array has the correct size
 static_assert(

userspace/engine/falco_load_result.h

@@ -75,15 +75,7 @@ public:
 	// impact.
 	static const std::string& warning_desc(warning_code ec);
 
-	enum class deprecated_field {
-		DEPRECATED_FIELD_EVT_DIR,
-		DEPRECATED_FIELD_EVT_LATENCY,
-		DEPRECATED_FIELD_EVT_LATENCY_S,
-		DEPRECATED_FIELD_EVT_LATENCY_NS,
-		DEPRECATED_FIELD_EVT_LATENCY_HUMAN,
-		DEPRECATED_FIELD_EVT_WAIT_LATENCY,
-		DEPRECATED_FIELD_NOT_FOUND
-	};
+	enum class deprecated_field { DEPRECATED_FIELD_EVT_DIR, DEPRECATED_FIELD_NOT_FOUND };
 
 	// The deprecated field as a string
 	static const std::string& deprecated_field_str(deprecated_field df);

userspace/engine/rule_loader.h

@@ -215,7 +215,8 @@ struct deprecated_field_warning : warning {
 	        df(df) {}
 
 	std::string as_string() const override {
-		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df);
+		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df) +
+		       "' is deprecated";
 	};
 	std::string description() const override {
 		return warning::description() + ": " + falco::load_result::deprecated_field_desc(df);

userspace/falco/falco_metrics.cpp

@@ -150,15 +150,13 @@ std::string falco_metrics::falco_to_text_prometheus(
 	// # HELP falcosecurity_falco_outputs_queue_num_drops_total https://falco.org/docs/metrics/
 	// # TYPE falcosecurity_falco_outputs_queue_num_drops_total counter
 	// falcosecurity_falco_outputs_queue_num_drops_total 0
-	if(state.outputs != nullptr) {
-		additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-		        "outputs_queue_num_drops",
-		        METRICS_V2_MISC,
-		        METRIC_VALUE_TYPE_U64,
-		        METRIC_VALUE_UNIT_COUNT,
-		        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-		        state.outputs->get_outputs_queue_num_drops()));
-	}
+	additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+	        "outputs_queue_num_drops",
+	        METRICS_V2_MISC,
+	        METRIC_VALUE_TYPE_U64,
+	        METRIC_VALUE_UNIT_COUNT,
+	        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+	        state.outputs->get_outputs_queue_num_drops()));
 
 	// # HELP falcosecurity_falco_reload_timestamp_nanoseconds https://falco.org/docs/metrics/
 	// # TYPE falcosecurity_falco_reload_timestamp_nanoseconds gauge