On 22.09.2018 16:43, Daniel Shahaf wrote:
> Branko Čibej wrote on Sat, 22 Sep 2018 16:29 +0200:
>> On 22.09.2018 16:22, Branko Čibej wrote:
>>> On 22.09.2018 16:13, Daniel Shahaf wrote:
>>>> Please don't download the artifacts from www*.apache.org but from a
>>>> mirror. I think there is a redirector CGI somewhere that automatically
>>>> redirects you to a mirror close to you, but I can't find it :(
>>> http://subversion.apache.org/download.cgi
>>>
>>> Linked from our main page.
>> [The original thread is on users@]
>>
>> I just noticed that when I click the 'Source Download' link in the
>> navigation tab on our web page, I get:
>>
>> http://subversion.apache.org/download.cgi?update=201708081800
>>
>> instead of plain
>>
>> http://subversion.apache.org/download.cgi
>>
>> Can anyone remember why that is? It seems wrong, and also doesn't appear
>> to do anything, since the page contents and especially download links
>> appear to be the same in both cases.
>>
>> It was done in r1804690, the log message is:
>>
>> Release Subversion 1.9.7 with a fix for CVE-2017-9800.
>>
>> So it's possible that we forgot to clean that up after the security fix
>> release ... and also that the ?update= parameter doesn't appear to work
>> properly (any more).
> The ?update= parameter is used to only offer mirrors that have synced
> after the specified YYMMDDhhmm date. We use it after a security release when
> the email announcement is less than 24 hours after the upload to /dist/release,
> in order to prevent offering mirrors that don't carry the just-released artifacts.
>
> The reason the parameter seems to have no effect is that the threshold
> date it sets is over a year ago, and all mirrors have update since then,
> so it excludes no mirrors from the list.
>
> Yes, we can remove it now.. but, frankly, I'd rather keep it, so we
> don't have to look up the syntax the next time we need it. It sounds like
> we could add a comment, though.
Good idea; r1841687.
-- Brane
Received on 2018-09-22 16:59:59 CEST