Thank you all for your answers. I will keep you updated. Thanks! On Sun, Mar 6, 2016 at 8:28 AM, Christian Folini < christian.fol...@netnea.com> wrote:
> Hi there, > > On Sat, Mar 05, 2016 at 10:28:44PM +0100, Walter Hop wrote: > > Though we can commit now, I propose for now to work in separate branches > and request a code review from another person before merging to the master > branch. So ideal workflow: Github issue -> discuss -> pull request -> code > review -> merge to master. > > I like that as a best practice. Let's put this into the OWASP > wiki as development guideline. I would not make it a formal requirement > though, but something like 90% of commits should go that way. > (There are always reasons to shortcut a process and barring that > path takes away flexibility. We just have to make sure there > are actually good reasons in these cases). > > > I see that Christian has already started tackling some reported issues > on Github, which is awesome! At some point we should make an effort to go > over the old issues too. > > I closed one or two of the old ones. It would be nice if we could > make this a community effort. > > Everybody can go out and look at the open issues. > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues > > Many of them are really simple like misinterpretations of what the > core rules are or lack of knowledge by the reporter to make a false > positive disappear. Anybody can give the necessary infos to the > reporter. If you want to have the issue closed afterwards, just > drop me or Chaim or Walter a line. > > Other issues are harder and demand a bit of testing or adjustment > of rules. If anybody has suggestions or ideas, adding to the > conversation on github and reporting here on the ML seems like > a good practice. We can then examine the proposed solution. > > In the end, I think a community should keep a low number of > open issues. It looks much more welcoming that way. > > > Lots of them are about old CRS rules which are now gone in CRS v3. After > the paranoid project has settled down, we’ll know for sure which rules are > staying. I assume that CRS v2 will no longer get updates unless in > exceptional cases? If so, we can communicate that. So I’ll keep this as a > todo for after the paranoid rules are known. > > Yep. > > Cheers, > > Christian > > > -- > Ultimately, motivation gets us started, > but discipline and habit are what enable us to finish. > -- Matthew Helmke > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
