Thats my thoughts too, but obviously people being people all have their different opinions on things.
I'm just concentrating on the content of the mirrors now to make sure they are configured properly, and carry the latest versions. If each admin wants to rely on Redhat making their rpm's secure its their own network that will suffer if all holes aren't patched up. Regards Andrew n.b. These are my personal thoughts and do not reflect the ideas/policies of the Apache Software Foundation in any way shape or form. -----Original Message----- From: Haesu [mailto:[EMAIL PROTECTED] Sent: Friday, 25 October 2002 10:23 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Mirror Update time Hello, I personally believe that everyone operating the mirror must run at least 1.3.26 or above.. I mean it would be better if all the mirrors are *totally secure* from any possibilities of exploits, rather than just cutting corners with redhat rpm updates that fix the problem w/o upgrading completely. Accepted, my opinion may not be 100% correct. But the reason for anyone to operate an official mirror is to help apache foundation to begin with, and I believe each mirror should be proactive in its responsibilities, including security. --HC On Thu, 24 Oct 2002, myfriend.is.not.my.enemies.org wrote: > > Actually Andrew concern is about security for all apache mirror. > I think this can seatle if every administrator/maintainer apply pathes for > their Apache webserver. But how we know's which Apache have been patch or > not. I think that's why Andrew want to do like that. > > Thom May <[EMAIL PROTECTED]> wrote: * Andrew Kenna ([EMAIL PROTECTED]) wrote > : > > People, please follow the steps outlines on http://httpd.apache.org/ > > The following are mirrors that are no longer valid, meaning 1 of the > > following > > > > 1) They are un-reachable > > 2) They do not contain the latest version of apache > > 3) They are running a version of apache pre-dating 1.3.26 > > > > Does anyone have any problems with removing mirror sites that are running > > versions of apache prior to 1.3.26 ? > > Yes, this is bogus. Most OS distributions prefer to backport patches rather > than enforce an upgrade on their users. > Debian's 2.2 release (the last but one, and still recieving updates) has a > fully patched 1.3.9 version in, which is as secure as 1.3.26. > So you're just causing admins extra work for no real reason. > -Thom > > > --------------------------------- > Do you Yahoo!? > Y! Web Hosting - Let the expert host your web site
