www-mirrors mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Kenna" <andr...@stamina.com.au>
Subject RE: Mirror Update time
Date Fri, 25 Oct 2002 00:09:40 GMT
Thats my thoughts too, but obviously people being people all have their different opinions
on things.

I'm just concentrating on the content of the mirrors now to make sure they are configured
properly, and carry the latest versions. If each admin wants to rely on Redhat making their
rpm's secure its their own network that will suffer if all holes aren't patched up.



n.b. These are my personal thoughts and do not reflect the ideas/policies of the Apache Software
Foundation in any way shape or form.

-----Original Message-----
From: Haesu [mailto:haesu@towardex.com]
Sent: Friday, 25 October 2002 10:23 AM
To: mirrors@apache.org; ikmal@i-ownur.info
Subject: Re: Mirror Update time

	I personally believe that everyone operating the mirror must run
at least 1.3.26 or above.. I mean it would be better if all the mirrors
are *totally secure* from any possibilities of exploits, rather than just
cutting corners with redhat rpm updates that fix the problem w/o upgrading
completely. Accepted, my opinion may not be 100% correct. But the reason
for anyone to operate an official mirror is to help apache foundation to
begin with, and I believe each mirror should be proactive in its
responsibilities, including security.


On Thu, 24 Oct 2002, myfriend.is.not.my.enemies.org wrote:

> Actually Andrew concern is about security for all apache mirror.
> I think this can seatle if every administrator/maintainer apply pathes for their Apache
webserver.  But how we know's which Apache have been patch or not.  I think that's why Andrew
want to do like that.
>  Thom May <thom@positive-internet.com> wrote: * Andrew Kenna (andrewk@stamina.com.au)
wrote :
> > People, please follow the steps outlines on http://httpd.apache.org/
> > The following are mirrors that are no longer valid, meaning 1 of the following
> >
> > 1) They are un-reachable
> > 2) They do not contain the latest version of apache
> > 3) They are running a version of apache pre-dating 1.3.26
> >
> > Does anyone have any problems with removing mirror sites that are running versions
of apache prior to 1.3.26 ?
> Yes, this is bogus. Most OS distributions prefer to backport patches rather
> than enforce an upgrade on their users.
> Debian's 2.2 release (the last but one, and still recieving updates) has a
> fully patched 1.3.9 version in, which is as secure as 1.3.26.
> So you're just causing admins extra work for no real reason.
> -Thom
> ---------------------------------
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site

View raw message