Return-Path: <mirrors-return-677-apmail-mirrors-archive=apache.org@apache.org>
Delivered-To: apmail-mirrors-archive@apache.org
Received: (qmail 94198 invoked by uid 500); 24 Oct 2002 16:48:18 -0000
Mailing-List: contact mirrors-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: mirrors@apache.org
list-help: <mailto:mirrors-help@apache.org>
list-unsubscribe: <mailto:mirrors-unsubscribe@apache.org>
list-post: <mailto:mirrors@apache.org>
Delivered-To: mailing list mirrors@apache.org
Received: (qmail 94184 invoked from network); 24 Oct 2002 16:48:18 -0000
Date: Thu, 24 Oct 2002 17:49:20 +0100
From: Thom May <thom@positive-internet.com>
To: mirrors@apache.org
Subject: Re: Mirror Update time
Message-ID: <20021024164920.GC854@samizdat>
References: <20021024090458.GA854@samizdat>
 <20021024092000.13041.qmail@web11103.mail.yahoo.com>
 <20021024160023.GB854@samizdat>
 <20021024164227.GK19423@electra.cse.Buffalo.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <20021024164227.GK19423@electra.cse.Buffalo.EDU>
User-Agent: Mutt/1.4i
X-Operating-System: Linux/2.4.20-pre10-ac1 (i686)
X-Virus-Scanned: by AMaViS perl-11
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

* Ken Smith (kensmith@cse.Buffalo.EDU) wrote :
> On Thu, Oct 24, 2002 at 05:00:23PM +0100, Thom May wrote:
> > * myfriend.is.not.my.enemies.org (ikmal_ahmad@yahoo.com) wrote :
> > > 
> > > Actually Andrew concern is about security for all apache mirror.
> > > I think this can seatle if every administrator/maintainer apply pathes for their Apache webserver.  But how we know's which Apache have been patch or not.  I think that's why Andrew want to do like that.
> > >  
> > Apache may suggest that the best practise would be to run 1.3.26 or better;
> > but it's a decision that is _entirely_ up to the server admins who are
> > _freely_ donating time and resources.
> > -Thom
> 
> The counterpoint to that being Apache has the "responsibility" of
> making their distribution channel as free of potential tampering
> as possible.  httpd versionf older than 1.3.26 have known security
> issues that can allow remote attackers access to the machine and
> the opportunity to tamper with the files being distributed.
> 
Unpatched versions, yes. As I said earlier in the thread, most distributions
backport patches to older versions rather than introduce new versions in
stable distributions. How are you planning to test for this?

> If the mirror admins are interested in helping out Apache by donating
> their time and resources perhaps they can extend that interest enough
> to help make the distribution mechanism as trustworthy (hack-proof)
> as possible.  In this day and age of "the bad guys" playing games
> with attacking the root DNS servers and whatnot IMO it isn't out of
> line for Apache to request the *official* mirrors be secure within
> reason.
>
I think running an older version with the correct patchset is totally within
reason.
-Thom