www-community mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Crossley <cross...@apache.org>
Subject Re: Handling security vulnerabilities at Apache
Date Tue, 13 Jan 2009 23:57:48 GMT
Jukka Zitting wrote:
> 
> A related point is the delay that our mirror infrastructure puts on
> the release process. A security release that gets set up for mirroring
> is already publicly available even though it can't under current
> policies be announced until 24 hours later. Would it be acceptable to
> avoid this delay by pointing people directly to www.apache.org/dist
> when releasing security fixes?

When doing a normal release, i check Henk's Mirmon:
http://www.apache.org/mirrors/

Normally the system is quite quick to get it out to
some of the mirrors. Especially the eu.apache.org mirror.

Regarding the 24 hour wait. I thought that that was
just a guideline. I wait until a good proportion of
the mirrors have received the release.

How often is the Europe mirror updated?
How often is it probed?

Perhaps refer people to the Europe mirror and the
"Status of Mirrors" page.

The download documentation could emphasise that if
they need it quicker and not yet available at their
favourite mirror, then get it from the main dist.

-David

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org


Mime
View raw message