Hi, We're using the owasp CRS since many years successful in production and we're very happy with it!
Now I have some questions to the mailing list ;-) 1) version numbering: We're using debian squeeze in production (for sure, wheezy migration is in progress) our IT guidelines says, that we have to use the oldstable packages (no backports): so, we're running: libapache-mod-security 2.5.12-1+squeeze3 that means, we cant use the latest CRS 2.2.9 and unfortunately just the "old" 2.2.5. First I spent some minutes to figure out why the 2.2.9 CRS isnt running on our infrastructure. (thx google) Now I'm a little bit confused about the version numbering: Normally I dont expect breaking changes in 2.2.x version updates. I think it would be better to make a new 2.3 version: CRS 2.3.x <==> modsecurity >= 2.6.x CRS 2.2.x <==> modsecurity 2.5 and older For sure, you cant change that anymore. But maybe it would help to create an official wiki page with a compatibility list? 2) stable and latest branch: if I download / clone the CRS from github, I always get the latest version with the newest bugfixes like: https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/7c0f59e1fd438a457529e754381ee1b2c248cc50 (master branch) for sure, owasp is interested to get the most user on the latest rules. but I'm interested to use the most stable version :-) So I would be very happy if there are 2 branches (and I'm sure many other sysadmins also): * latest (always with the latest commits) * stable (stable...) 3) git tags is there a concept for the tags and github? or did you forget to create the 2.2.9 tag? cheers, Kevin
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set