Re: HTTPS metadata in Mirrors.masterlist?

To: debian-mirrors@lists.debian.org
Cc: debian-boot@lists.debian.org
Subject: Re: HTTPS metadata in Mirrors.masterlist?
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Date: Tue, 11 Feb 2014 17:22:26 +0100
Message-id: <[🔎] 20140211162226.GB25165@fantomas.sk>
Mail-followup-to: Matus UHLAR - fantomas <uhlar@fantomas.sk>, debian-mirrors@lists.debian.org, debian-boot@lists.debian.org
In-reply-to: <[🔎] 20140211155628.GA24903@riva.ucam.org>
References: <20140211130429.GA18442@riva.ucam.org> <[🔎] 20140211134553.GA20550@riva.ucam.org> <[🔎] alpine.DEB.2.02.1402111459200.8689@hirohito.acc.umu.se> <[🔎] 20140211143107.GO6397@riva.ucam.org> <[🔎] 52FA360A.5090004@portalias.net> <[🔎] 20140211155628.GA24903@riva.ucam.org>

On Tue, Feb 11, 2014 at 09:39:06AM -0500, Donald Norwood wrote:

This topic has come up in mirrors a few times from users and the
general conscientious was stated rather well by Mattias. As it
stands, and to my knowledge, there are a handful of servers set up
to support https.

The question really becomes what is the point? If the network
traffic itself can be snooped then why not a smaller mirror set on
the specific machines if they are still wary of using even localized
mirror? Or a CD/DVD?

A caveat to those approaches is that the machines in question are
still connected to the network and those machines are still running
or querying services from the packages they installed.

Adding https support doesn't really solve the issue. From your later
post this seems more of a network security issue for those admins to
resolve.


On 11.02.14 15:56, Colin Watson wrote:

All I have left to say is that the admins in question are my customers,


so, the company is not your customer, but its admins are?

I've already exhausted all the avenues of protest you suggest, and they
still tell me this is something they need.  Based on the work I've done
so far I don't think this is a particularly onerous thing to support in
d-i at least as an option, I'm prepared to do the work, and all I'm
asking for here is a bit of metadata in the mirror masterlist.  If the
latter can't be provided because we don't think Debian mirrors will
accept the load or whatever, that's fine, I can always make it
manual-only or whatever, but at this point it is easier for me to
support HTTPS than to argue about it. :-)


You can of course configure HTTPS on your server. MAybe you could configure
HTTPS proxy for them. Finally, if they are your customers, it's up to you to
provide the servicem isn't it?

Note that HTTPS clients verify the servers' certificate and multiple debian
mirrors with different hostnames can not have the same certificate, nor it's
sane to maintain different certificates for each hostname on each mirror ...

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.

Reply to:

Follow-Ups:
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Colin Watson <cjwatson@debian.org>

References:
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Colin Watson <cjwatson@debian.org>
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Mattias Wadenstein <maswan@acc.umu.se>
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Colin Watson <cjwatson@debian.org>
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Donald Norwood <dnorwood@portalias.net>
- Re: HTTPS metadata in Mirrors.masterlist?
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: HTTPS metadata in Mirrors.masterlist?
Next by Date: Re: HTTPS metadata in Mirrors.masterlist?
Previous by thread: Re: HTTPS metadata in Mirrors.masterlist?
Next by thread: Re: HTTPS metadata in Mirrors.masterlist?
Index(es):
- Date
- Thread