> I'm just concentrating on the content of the mirrors now to > make sure they are configured properly, and carry the latest > versions. If each admin wants to rely on Redhat making their > rpm's secure its their own network that will suffer if all > holes aren't patched up.
If you really want to keep track of the content/quality of the mirrors then put a timestamp file in each of the dists (XML, Jakarta, httpd) and then pull those from the mirrors to see who is up-to-date and who isn't. I believe Debian puts a timestamp somewhere in its dist ... I don't know if they _use_ it ... :-) As for the comments about relying on package maintainers I think that's about all we can do. I'm as busy as everybody else here and I don't have time to be an expert on _every_ package. I know Apache but I'm not the Apache master; I rely on the Debian packages that I pull down as needed. Today I happen to be running the "acceptable" version but with the Debian release schedule as it is I won't be for long ... it will _appear_ that I'm out of date even though I'm not. I don't think I should be penalized for that as an Apache mirror. Just my $0.02 Scott :-) > -----Original Message----- > From: Haesu [mailto:[EMAIL PROTECTED] > Sent: Friday, 25 October 2002 10:23 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Mirror Update time > > > Hello, > I personally believe that everyone operating the mirror must run > at least 1.3.26 or above.. I mean it would be better if all the mirrors > are *totally secure* from any possibilities of exploits, rather than just > cutting corners with redhat rpm updates that fix the problem w/o upgrading > completely. Accepted, my opinion may not be 100% correct. But the reason > for anyone to operate an official mirror is to help apache foundation to > begin with, and I believe each mirror should be proactive in its > responsibilities, including security. > > --HC > > > On Thu, 24 Oct 2002, myfriend.is.not.my.enemies.org wrote: > > > > > Actually Andrew concern is about security for all apache mirror. > > I think this can seatle if every administrator/maintainer apply pathes for > > their Apache webserver. But how we know's which Apache have been patch or > > not. I think that's why Andrew want to do like that. > > > > Thom May <[EMAIL PROTECTED]> wrote: * Andrew Kenna ([EMAIL PROTECTED]) > > wrote : > > > People, please follow the steps outlines on http://httpd.apache.org/ > > > The following are mirrors that are no longer valid, meaning 1 of the > > > following > > > > > > 1) They are un-reachable > > > 2) They do not contain the latest version of apache > > > 3) They are running a version of apache pre-dating 1.3.26 > > > > > > Does anyone have any problems with removing mirror sites that are running > > > versions of apache prior to 1.3.26 ? > > > > Yes, this is bogus. Most OS distributions prefer to backport patches rather > > than enforce an upgrade on their users. > > Debian's 2.2 release (the last but one, and still recieving updates) has a > > fully patched 1.3.9 version in, which is as secure as 1.3.26. > > So you're just causing admins extra work for no real reason. > > -Thom > > > > > > --------------------------------- > > Do you Yahoo!? > > Y! Web Hosting - Let the expert host your web site