www-mirrors mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Smith <kensm...@cse.Buffalo.EDU>
Subject Re: Mirror Update time
Date Thu, 24 Oct 2002 16:42:27 GMT
On Thu, Oct 24, 2002 at 05:00:23PM +0100, Thom May wrote:
> * myfriend.is.not.my.enemies.org (ikmal_ahmad@yahoo.com) wrote :
> > 
> > Actually Andrew concern is about security for all apache mirror.
> > I think this can seatle if every administrator/maintainer apply pathes for their
Apache webserver.  But how we know's which Apache have been patch or not.  I think that's
why Andrew want to do like that.
> >  
> Apache may suggest that the best practise would be to run 1.3.26 or better;
> but it's a decision that is _entirely_ up to the server admins who are
> _freely_ donating time and resources.
> -Thom

The counterpoint to that being Apache has the "responsibility" of
making their distribution channel as free of potential tampering
as possible.  httpd versionf older than 1.3.26 have known security
issues that can allow remote attackers access to the machine and
the opportunity to tamper with the files being distributed.

If the mirror admins are interested in helping out Apache by donating
their time and resources perhaps they can extend that interest enough
to help make the distribution mechanism as trustworthy (hack-proof)
as possible.  In this day and age of "the bad guys" playing games
with attacking the root DNS servers and whatnot IMO it isn't out of
line for Apache to request the *official* mirrors be secure within
reason.

-- 
						Ken Smith
- From there to here, from here to      |       kensmith@cse.buffalo.edu
  there, funny things are everywhere.   |
                      - Theodore Geisel |

Mime
View raw message