Clarify CRS 3 maintenance plans

[rainerjung]

Hi there,
thanks for the great work on CRS.
It would be nice if the maintenance plans for CRS 3 would be documented. Like eg. no more releases planned, or only 3.3.x releases for another 12 months or similar. This would help users to decide on their migration plans from CRS 3 to 4.
Thanks and best regards!
Rainer

[RedXanadu]

@rainerjung This is only a partial answer, but rest assured that v3.3.x is still supported (see: https://github.com/coreruleset/coreruleset/security/policy#supported-versions)

---

I, for one, would like to see a 'single source of truth' CRS release policy. Currently, we have this scattered across three different locations… (maybe more, but I'm aware of three.) And, what we do have written down is not consistent with the new plans going forwards, so everything needs updating, too.

This is something I would like to draft, if and when I find the time.

[dune73]

Hey @rainerjung, very good to see you. It's been a while.

I second what @RedXanadu has said.

We are now concentrating on 3.3.x and 4.x with the 4.x release line being supposed to get monthly updates, so 4.1.0 coming out in the next few days.

The idea is to declare one of the 4.x releases an LTS release.

I'd say the enterprise approach to the migration question would be to wait for an 4.x LTS release and then to start the migration to that release. My in official response on 3.3.x maintenance is, that we will probably treat it like an LTS and we are likely to keep at least 2 LTS releases under maintenance. So the clock starts to tick for 3.3.x the moment one of the 4.x releases becomes LTS.

But this is no yet official and we kind of need to grow into this new release policy.

What do you think about the LTS plans explained above. Does this make sense from your perspective?

[fzipi]

We are in the process of writing an official document with our release policy.