ftp.freebsd.org out of date? (WRT security advisories)
Bruce A. Mah
bmah at freebsd.org
Wed Sep 17 20:40:17 PDT 2003
If memory serves me right, Nielsen wrote:
> It seems (at least for me) the patches on ftp.freebsd.org are out of
> date for the 03:12 security advisory (openssh). ftp2.freebsd.org has
> them fine.
>
> I'm wondering if this is a mirror issue or perhaps round-robin DNS problem?
>
> What compounds the issue is that right now the old openssh 3.7 patches
> are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be
> found on ftp2.freebsd.org). This could conceivably cause someone to miss
> a patch.
As I understand the problem, it has to do with the updating cycles of
the mirrors (both ftp.freebsd.org machines get their content in much
the same way as any of the other top-level mirrors). By sheer luck, it
might be possible that ftp.freebsd.org might sychronize later than the
other mirrors. There's other factors, such as the periodicity of
updating, that also come into play.
I'm not sure what's a good solution to this. I know that security-team
is aware of the problem, in fact it came up in the security-officer BoF
at BSDCon.
(One possibility might be to put the advisories on the Web site and
force an update immediately after an advisory is issued. I do this
during the late stages of a release cycle to push out the release
announcements and release notes. The problem with this, however, is
that everyone is conditioned to look to the FTP sites for advisories.)
Bruce.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 223 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030917/6be79638/attachment.bin
More information about the freebsd-security
mailing list