This is my ebuild for v3.0.0 of the modsecurity-crs base rules. It requires v2.8 or greater of mod_security. (see Bug 615294) I've split the default config file out from the /etc/apache2/modules.d/80-modsecurity-crs.conf file, into /etc/modsecurity/crs-setup.conf. The /etc/apache2/modules.d/80-modsecurity-crs.conf file now only includes the other rules.
Created attachment 470116 [details] modsecurity-crs-3.0.0.ebuild
Created attachment 470118 [details] files/modsecurity-crs-3.0.0.conf
I committed this, but I left out the recommended configuration file by default for the same reasons I just mentioned in bug 615294. When users install modsecurity-crs, we want to be sure (as possible) that the default configuration will work. Many of the settings in crs-setup.conf.example are already default, and the CRS works out-of-the-box this way. Some of the nonstandard rules in that example file also have warnings on them that people should have to read before enabling them (by copying them into 80_mod_security-crs.conf). As with mod_security, there's no reason to have the additional /etc/modsecurity/crs-setup.conf file; our Apache configuration is already modular, and any rules can go directly in 80_mod_security-crs.conf which is protected from portage changes. If it turns our that there are configuration options we need to change by default, I can add them to 80_mod_security-crs.conf.