[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Performance of security.debian.org?

Hi!

Just now I upgraded firefox-esr on bookworm, from bookworm-security.
It's 60M, apt showed me ~90kB/s and projected 10 minutes.
And it did take like 10 minutes.

Two days ago, apt update projected to take, and took,
on the same order of time, I think also on security.d.o.
I gave up and pulled the package off snapshot.d.o,
so I didn't measure how long it would've taken to download.

Searching through the archives, I see a note about dropping rsync in
  https://lists.debian.org/debian-mirrors-announce/2019/11/msg00000.html
which notes that security.d.o is available in HTTP at security.d.o only,
with mirrors discouraged, and a post about a security-cdn.d.o in
  https://lists.debian.org/debian-user/2018/08/msg01196.html
though while that user saw a security.d.o -> security-cdn.d.o redirect
I cannot reproduce this, and I see an identical rate when pulling from
security-cdn.d.o, an idential set of headers (two varnishes, two HITs),
and no redirects.

The latter links to https://www.debian.org/mirror/ftpmirror#what which says
> The debian-security/ archives contain the security updates released by
> the Debian security team. While it sounds interesting to everyone, we
> do not recommend to our users to use mirrors to obtain security
> updates and instead ask them to directly download them from our
> distributed security.debian.org service. We recommend debian-security
> not be mirrored.

OTOH, security.d.o points to some fastly-assigned IPs directly whereas
security-cdn.d.o is CNAME debian.map.fastlydns.net.

OTOOH, that mail is the /only/ place I see security-cdn.d.o referenced,
and https://www.debian.org/security/ doesn't list it as a mirror.
Well, AFAICT, most debian.org pages consider "the archive" and "mirrors"
to apply to the main archive only, and security.d.o may as well not
exist.

OTOOOH, this is the type of performance I'd expect from downloading
something off an uncached primary mirror in skibidi, ohio
(like, in recent memory, ftp.netbsd.org achieving 37.4kB/s
 vs its undocumented cdn.netbsd.org address which, uh. works).

Conversely, the "distributed" deb.debian.org address which is /also/
CNAME debian.map.fastlydns.net. yields normal speeds. This had also
been the case for security.d.o on the order of weeks-and-months back.

So, to this end:
  is this state expected?
  is this change expected?
  is this performance expected?
  if not, why not mirror security.d.o?

Thanks,
наб

Attachment: signature.asc
Description: PGP signature

Reply to: