Re: When should we https our mirrors?

To: debian-devel@lists.debian.org
Subject: Re: When should we https our mirrors?
From: Tollef Fog Heen <tfheen@err.no>
Date: Sat, 15 Oct 2016 21:25:31 +0200
Message-id: <[🔎] 87instl8ic.fsf@fehawnok.err.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20161015180336.GA19899@cassiel.pault.ag> (Paul Tagliamonte's message of "Sat, 15 Oct 2016 14:03:36 -0400")
References: <[🔎] 20161015180336.GA19899@cassiel.pault.ag>

]] Paul Tagliamonte 

> So, when are we going to push this? If not now, what criteria need to
> be met? Why can't we https-ify the default CDN mirror today?

The usual crypto answer: because key handling is hard.

Doing this for the per-country mirrors means that repointing mirrors
becomes a lot harder than it currently is, and this is something we do
on a daily basis.  We'd need a solution for deploying the TLS cert for,
say, ftp.de.d.o to ftp.se.d.o (or ftp.d.o) if ftp.d.o is down for
maintenance.

Doing this for deb.d.o would mean we need to get certs on both Fastly
and Cloudfront deployed, which is, frankly, a more realistic proposition
than jury-rigging something on the per-country mirrors.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: When should we https our mirrors?
  - From: Paul Wise <pabs@debian.org>
- Re: When should we https our mirrors?
  - From: Aron Xu <aron@debian.org>
- Re: When should we https our mirrors?
  - From: Dimitri John Ledkov <xnox@debian.org>
- Re: When should we https our mirrors?
  - From: Robert Edmonds <edmonds@debian.org>

References:
- When should we https our mirrors?
  - From: Paul Tagliamonte <paultag@debian.org>

Prev by Date: Re: When should we https our mirrors?
Next by Date: Bug#840893: ITP: ansible-tower-cli -- command line tool for Ansible Tower
Previous by thread: Re: non-Debian software on ftp*.*.debian.org mirrors
Next by thread: Re: When should we https our mirrors?
Index(es):
- Date
- Thread