On 22.09.2018 16:43, Daniel Shahaf wrote: > Branko Čibej wrote on Sat, 22 Sep 2018 16:29 +0200: >> On 22.09.2018 16:22, Branko Čibej wrote: >>> On 22.09.2018 16:13, Daniel Shahaf wrote: >>>> Please don't download the artifacts from www*.apache.org but from a >>>> mirror. I think there is a redirector CGI somewhere that automatically >>>> redirects you to a mirror close to you, but I can't find it :( >>> http://subversion.apache.org/download.cgi >>> >>> Linked from our main page. >> [The original thread is on users@] >> >> I just noticed that when I click the 'Source Download' link in the >> navigation tab on our web page, I get: >> >> http://subversion.apache.org/download.cgi?update=201708081800 >> >> instead of plain >> >> http://subversion.apache.org/download.cgi >> >> Can anyone remember why that is? It seems wrong, and also doesn't appear >> to do anything, since the page contents and especially download links >> appear to be the same in both cases. >> >> It was done in r1804690, the log message is: >> >> Release Subversion 1.9.7 with a fix for CVE-2017-9800. >> >> So it's possible that we forgot to clean that up after the security fix >> release ... and also that the ?update= parameter doesn't appear to work >> properly (any more). > The ?update= parameter is used to only offer mirrors that have synced > after the specified YYMMDDhhmm date. We use it after a security release when > the email announcement is less than 24 hours after the upload to > /dist/release, > in order to prevent offering mirrors that don't carry the just-released > artifacts. > > The reason the parameter seems to have no effect is that the threshold > date it sets is over a year ago, and all mirrors have update since then, > so it excludes no mirrors from the list. > > Yes, we can remove it now.. but, frankly, I'd rather keep it, so we > don't have to look up the syntax the next time we need it. It sounds like > we could add a comment, though.
Good idea; r1841687. -- Brane
