Hi,

We're using the owasp CRS since many years successful in production and
we're very happy with it!

Now I have some questions to the mailing list ;-)

1) version numbering:

We're using debian squeeze in production (for sure, wheezy migration is in
progress)
our IT guidelines says, that we have to use the oldstable packages (no
backports):
so, we're running: libapache-mod-security 2.5.12-1+squeeze3
that means, we cant use the latest CRS 2.2.9 and unfortunately just the
"old" 2.2.5.

First I spent some minutes to figure out why the 2.2.9 CRS isnt running on
our infrastructure. (thx google) Now I'm a little bit confused about the
version numbering:
Normally I dont expect breaking changes in 2.2.x version updates.
I think it would be better to make a new 2.3 version:

CRS 2.3.x <==> modsecurity >= 2.6.x
CRS 2.2.x <==> modsecurity 2.5 and older

For sure, you cant change that anymore.
But maybe it would help to create an official wiki page with a
compatibility list?

2) stable and latest branch:

if I download / clone the CRS from github, I always get the latest version
with the newest bugfixes like:
https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/7c0f59e1fd438a457529e754381ee1b2c248cc50
(master branch)

for sure, owasp is interested to get the most user on the latest rules.
but I'm interested to use the most stable version :-)
So I would be very happy if there are 2 branches (and I'm sure many other
sysadmins also):

* latest (always with the latest commits)
* stable (stable...)

3) git tags

is there a concept for the tags and github?
or did you forget to create the 2.2.9 tag?

cheers,
Kevin
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to