Agreeing with MacMac here, let me put out a few points.
[quote]I did find the postings you cite, but in neither did I see [ … ]
because DH were about to turn it on regardless.
Granted, they did not at that time say that they were planning to turn it on globally. I’m almost certain that they did NOT plan that at the time. So you’re right: they did not at that time warn us or suggest that we check it out.
- My point here is that it’s there, it’s a new feature, it’s about security, why not try it? Some people thought “let’s try this new thing and see if it works, at least it can’t harm to try” and found that it didn’t break the site, so it’s all fine. A few problems were reported, so these are known. Those who don’t try it don’t know whether it even works or breaks their sites.
[quote]Now DH are going to overwrite that crticial setting and
turn it ON, busting the sites
Considering my past positive experiences with DH, I am certain that individual users that are concerned can write to DH and say please exclude my site from this new setting. Besides, if you’re really concerned, create a mirror site and test the mod_security there before you try it on a real live site. If your site is really that crucial, then I bet you have a pre-production environment as well … or do you do your implementations on the live code?
[quote]Web site config is hard enough as it is without little
faeries flitting in and undoing my panel changes.
First, I consider these faeries a service, not a disease. They actually help us to make our sites more secure and thereby saving us the risks of break-ins, data loss, and whatnot. So I’m in favor of faeries, as long as we know in advance what they do and we get a chance to speak up – all of which is available to us.
I don’t feel that this change is all that disruptive. It’s not like they’re terminating PHP+MySQL and offering only ASP/Access instead, right? This is a teeny detail that works on almost everything and you can check if it also works for you; either in a low period on your live site or in your pre-production mirror site.
I get the impression that you operate a site that can’t afford downtime, so therefore I’m going to assume you’re also using a development and/or preproduction “staging area” where you try out your new stuff before you put them live. Why not treat this “faerie gift” the same way, see if works, and have DH not enable it on your site if you prove it’s bad?
If DH won’t or can’t help you with that, then you’re rightfully complaining that they are forcing you to break your live site, and then we do agree that thís is bad. But even then, you can ask to be informed of the exact time when they do turn it on, so you can turn if off again immediately afterwards. Anyway, if it does break your site, you’ll see it right away and it’s a one-minute task to fix it.
Try out DreamHost with a free WebID – Prices, options