www-mirrors mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Kenna" <andr...@stamina.com.au>
Subject RE: Mirror Update time
Date Fri, 25 Oct 2002 01:08:47 GMT
I'm not disagreeing with what you are saying Scott, but do you run any additional modules with
your apache server such as php, mod_perl etc.

If not it takes approx 10-15 minutes to re-compile a new installation of apache to run on
a new version. I think rather than relying on what pre-packaged binaries offer one should
spend the 10-15mins and compile a new version of apache to make 100% sure they are running
a proper version not one that is patched up.

I am not saying there are holes in the patches these companies apply, but with all patches
there are known problems.
If you compile a fresh version that has all patches inbuilt into the proper source files you
would be assured that it will work securely.

Andrew


-----Original Message-----
From: Scott Kveton [mailto:kveton@oregonstate.edu]
Sent: Friday, 25 October 2002 10:52 AM
To: mirrors@apache.org
Subject: Re: Mirror Update time


> I'm just concentrating on the content of the mirrors now to 
> make sure they are configured properly, and carry the latest 
> versions. If each admin wants to rely on Redhat making their 
> rpm's secure its their own network that will suffer if all 
> holes aren't patched up.

If you really want to keep track of the content/quality of the mirrors
then put a timestamp file in each of the dists (XML, Jakarta, httpd) and
then pull those from the mirrors to see who is up-to-date and who isn't.
I believe Debian puts a timestamp somewhere in its dist ... I don't know
if they _use_ it ... :-)

As for the comments about relying on package maintainers I think that's
about all we can do.  I'm as busy as everybody else here and I don't
have time to be an expert on _every_ package.  I know Apache but I'm not
the Apache master; I rely on the Debian packages that I pull down as
needed.  Today I happen to be running the "acceptable" version but with
the Debian release schedule as it is I won't be for long ... it will
_appear_ that I'm out of date even though I'm not.  I don't think I
should be penalized for that as an Apache mirror.

Just my $0.02

Scott :-)
 
> -----Original Message-----
> From: Haesu [mailto:haesu@towardex.com]
> Sent: Friday, 25 October 2002 10:23 AM
> To: mirrors@apache.org; ikmal@i-ownur.info
> Subject: Re: Mirror Update time
> 
> 
> Hello,
> 	I personally believe that everyone operating the mirror must run
> at least 1.3.26 or above.. I mean it would be better if all the mirrors
> are *totally secure* from any possibilities of exploits, rather than just
> cutting corners with redhat rpm updates that fix the problem w/o upgrading
> completely. Accepted, my opinion may not be 100% correct. But the reason
> for anyone to operate an official mirror is to help apache foundation to
> begin with, and I believe each mirror should be proactive in its
> responsibilities, including security.
> 
> --HC
> 
> 
> On Thu, 24 Oct 2002, myfriend.is.not.my.enemies.org wrote:
> 
> >
> > Actually Andrew concern is about security for all apache mirror.
> > I think this can seatle if every administrator/maintainer apply pathes for their
Apache webserver.  But how we know's which Apache have been patch or not.  I think that's
why Andrew want to do like that.
> >
> >  Thom May <thom@positive-internet.com> wrote: * Andrew Kenna (andrewk@stamina.com.au)
wrote :
> > > People, please follow the steps outlines on http://httpd.apache.org/
> > > The following are mirrors that are no longer valid, meaning 1 of the following
> > >
> > > 1) They are un-reachable
> > > 2) They do not contain the latest version of apache
> > > 3) They are running a version of apache pre-dating 1.3.26
> > >
> > > Does anyone have any problems with removing mirror sites that are running versions
of apache prior to 1.3.26 ?
> >
> > Yes, this is bogus. Most OS distributions prefer to backport patches rather
> > than enforce an upgrade on their users.
> > Debian's 2.2 release (the last but one, and still recieving updates) has a
> > fully patched 1.3.9 version in, which is as secure as 1.3.26.
> > So you're just causing admins extra work for no real reason.
> > -Thom
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Y! Web Hosting - Let the expert host your web site

Mime
View raw message