the osquery shell does not use the watchdog by default, so it will not cause problems in that case

I think that deploying extensions is not a big issue; we had a cool PR that makes packaging configurable

a malware killing an extension might as well just kill osquery itself, so I don't think it changes much whether it's in core or not

another advantage in implementing this in an extension is that your table won't get killed if osquery misbehave; the worker will just restart and your extension will connect back to it

@alessandrogario merged the BPF changes in, and that was a thing we wanted to try to get out. How’s m1 support? Should I cut 5.1 today, or do folks want to wait? (@Mike Myers)

Speaking of which, we were vaguely holding, since I think @Stefano Bonicatti was going to look at one of the packaging PRs relating to linux symlinks?

Skimming that PR, it looks fine. Thoguh it feels weird having the destination set that way. But 🤷 I try not to get into the cmake weeds. Do you want to thumb and merge? Should I? (I am vigorously deferring to you here)

Hrm. Before I cut this release… I’m seeing some odd hangs on my mac 😞

I guess we’re aiming for another release this year, so I think there’s no point to holding this. I’ll cut a release now, and fill in release notes laterz

Who runs the osquery Twitter account? This could use a response: https://twitter.com/wifitoaster2/status/1470808511152017408 ( I tried logging in to do it myself with the creds in 1Password but I need a 2FA code)

I cut https://github.com/osquery/osquery/releases/tag/5.2.0 but builds don't seem to have worked. Probably cmake stuff. I'll see if I can make progress,

Hey friends! Sorry I've largely been offline of late. We had another baby and I've disappeared into parental leave. That said, I'm back now, I missed today's office hours due to some meeting conflicts, but wanted to check in on the paid Slack situation. Has that been resolved? Is there anything I can do to help?

I've also noticed a couple releases shipped out, and that we're quite a bit behind with Chocolatey releases. I'll see what I can do to get those builds shipped this week, apologies for my absence!

We can restrict it on a service level in the OS, but haven’t found a way to limit it properly in osquery.

Hrm. I wonder what correct is. I understand that in this case moving to sigkill makes more sense. But what is the flip side? Does that make it more likely to corrupt the local db?

@Stefano Bonicatti I think I’m ready to cut 5.2.2. Do you want to try to come to resolution on #7474 before?

Any thumbs for https://github.com/osquery/osquery-site/pull/238

Hi all, I am not sure if this is the best channel for this, but i have opened this ticket a few days ago: https://github.com/osquery/osquery/issues/7494 . I would like to get your point of view on the criticality of those vulnerabilities and if you think they qualify to get a new release with those dependencies upgraded. Reading on the ASSURANCE.md document, i read that some of the vulnerabilities may not affect osquery for one or other reason but i am not smart enough to understand when they do or they not. The fact is that our tool (we are using SNYK) reports back 4 CRITICAL and 21 HIGH vulnerabilities which does not look really good. If they are so, would you be open to release a new osquery version sooner with those dependecies upgraded? Thanks!

Removing freebsd intructions. https://github.com/osquery/osquery-site/pull/242

Is there a way to search a directory for a specific file extension? ex:

SELECT path FROM file WHERE path LIKE 'C:\Windows\Prefetch\%\%.db';

I’m seeing occasional messages

Refusing to register duplicate extension

which don’t make a lot of sense given what I know of my startup flow. Anyone happen to know if the registry it’s using is somehow persisted across restarts?

Can we package osquery extensions inside the the orbit packages [rpm,pkg,exe]?

Hey friends! I received a nice call from digicert that my authenticode code signing certificate is going to expire in about 20 some odd days. I hadn't planned on renewing this cert, as it's ~$500 and I don't think work will expense it for me any longer. Did we have any plans on the future of the signing certificate?

Hi, I'm interested working on this issue: https://github.com/osquery/osquery/issues/7463. I'm wondering If it's a way fetching the data from other way in order to support more distributions. I found that i can execute the following command line: "lldpctl -f xml". The output of this command is backward/forward-compatibility and the information is enough to generate 'lldp_neighbors'. I'm wondering if it's right/valid to generate table with this way?

Hey gang, just quick FYI - I've got my updated code signing certificate, going to do a couple test build/signs tonight then will be updating our secrets flow to ensure that we're all set for the next release.

Ok, verified that the signatures work as expected locally, I've updated the secrets for our build process, so we should be all set for the next release.

The last issue on the 5.3 milestone is complete, and this is a security-related release, so can we begin by tagging a pre-release and get moving on the release? https://github.com/osquery/osquery/milestone/61

How close is https://github.com/osquery/osquery/pull/7549 ?

I’d be in favor of cutting a 5.3 whenever!

After discussion, we cut a 5.2.3 release. https://github.com/osquery/osquery/releases/5.2.3 exists. Take a look folks!