> With the point of people relying on binaries, I'm reffering to people > that use up2date from redhat and assume that it will update their apache > daemon.. It might but it only tags the version as 1.3.22 for instance.. > Or one other case I heard about in there was debian patching up 1.3.9.. > > I've had this discussion with Joshua before, but I think if people are > serious about having a quality mirror they should download the source > code from apache.org or an apache mirror.. Compile it up and be done > with it.
I've got to completely disagree with this. A quality mirror has little or nothing to do with that; as long as you're not running a version that is vulnerable, how can that matter? I would also say that by depending on my pre-packaged binaries I'm actually _more_ secure than most mirrors because I get the updates automatically (that's not to say all update systems are like that; I know nothing of the quality of Redhat or Mandrake for instance). I run a lot of mirrors and move a lot of data with them. I use proftpd, Apache and rsync to get it done. I'm not a master with any of them but this isn't my primary job; then again, I don't know many full-time mirror operators. Just my $0.02, Scott :-)
