[Modsecurity] Sorry for the delays - update still coming

[Mike Cardwell]

Michael Shinn wrote:
> We are working out some neat new features, due to a whole new attack
> vector we ran into the other day and want to make sure its good to go
> for the rules.
> 
> Is anyone using 2.5 yet?  We have been working on a massive rewrite
> built around 2.5, but I'd like to get a sense of what everyone is using
> so we can allocate resources to each version.

At a guess, most people are like me and use the latest version that they 
can find a package for their OS for, rather than compiling from scratch. 
I'm running Apache2 on Debian Etch, and stuck this in my apt/sources.list:

deb http://etc.inittab.org/~agi/debian/libapache-mod-security2 ./

This presently gives me version 2.1.1. I'll be willing to upgrade to 2.5 
manually if/when a compelling reason rears it's head.

Just took a look at: http://www.modsecurity.org/download/index.html and 
found that it lists a debian package repository of 
http://ftp.debian-unofficial.org/debian/pool/main/liba/libapache-mod-security/ 
which only contains mod_security v1 packages...

> Now that we have a solution to the load issue with 2.5, it won't be a
> problem to start putting out daily releases again.  But its really
> important to us to know who is running boxes that can not run 2.5
> (apache 1.x) and those that can not update for now.  Just need some
> sense of what everyones needs are so I can plan my time accordingly.

Apache 2 was released over 5 years ago now. I don't see how anyone could 
expect you to continue further development for the 1.3 branch if they 
themselves wont take the time to upgrade. There will come a point when 
support for 1.3 needs to stop. If this were my project, that point would 
have been reached by now ;)

Mike