Branko Čibej wrote on Sat, 22 Sep 2018 16:29 +0200:
> On 22.09.2018 16:22, Branko Čibej wrote:
> > On 22.09.2018 16:13, Daniel Shahaf wrote:
> >> Please don't download the artifacts from www*.apache.org but from a
> >> mirror. I think there is a redirector CGI somewhere that automatically
> >> redirects you to a mirror close to you, but I can't find it :(
> > http://subversion.apache.org/download.cgi
> >
> > Linked from our main page.
>
> [The original thread is on users@]
>
> I just noticed that when I click the 'Source Download' link in the
> navigation tab on our web page, I get:
>
> http://subversion.apache.org/download.cgi?update=201708081800
>
> instead of plain
>
> http://subversion.apache.org/download.cgi
>
> Can anyone remember why that is? It seems wrong, and also doesn't appear
> to do anything, since the page contents and especially download links
> appear to be the same in both cases.
>
> It was done in r1804690, the log message is:
>
> Release Subversion 1.9.7 with a fix for CVE-2017-9800.
>
> So it's possible that we forgot to clean that up after the security fix
> release ... and also that the ?update= parameter doesn't appear to work
> properly (any more).
The ?update= parameter is used to only offer mirrors that have synced
after the specified YYMMDDhhmm date. We use it after a security release when
the email announcement is less than 24 hours after the upload to /dist/release,
in order to prevent offering mirrors that don't carry the just-released artifacts.
The reason the parameter seems to have no effect is that the threshold
date it sets is over a year ago, and all mirrors have update since then,
so it excludes no mirrors from the list.
Yes, we can remove it now.. but, frankly, I'd rather keep it, so we
don't have to look up the syntax the next time we need it. It sounds like
we could add a comment, though.
Cheers,
Daniel
Received on 2018-09-22 16:43:45 CEST