Re: When should we https our mirrors?
On 15 October 2016 at 20:25, Tollef Fog Heen <email@example.com> wrote:
> ]] Paul Tagliamonte
>> So, when are we going to push this? If not now, what criteria need to
>> be met? Why can't we https-ify the default CDN mirror today?
> The usual crypto answer: because key handling is hard.
> Doing this for the per-country mirrors means that repointing mirrors
> becomes a lot harder than it currently is, and this is something we do
> on a daily basis. We'd need a solution for deploying the TLS cert for,
> say, ftp.de.d.o to ftp.se.d.o (or ftp.d.o) if ftp.d.o is down for
I'm not a sysadmin. My naive approach would be to have cname specified
on the certs that are subject to redirect. E.g. ftp.d.o should have
cname's for all country codes, such that any country mirror can fall
back to ftp.d.o.
Yes, it means that ftp.d.o can impersonate country mirrors. However,
we validate the integrity of the archive via gpg, this TLS thing is
only to encrypt the channel for the privacy of the requests.
> Doing this for deb.d.o would mean we need to get certs on both Fastly
> and Cloudfront deployed, which is, frankly, a more realistic proposition
> than jury-rigging something on the per-country mirrors.
> Tollef Fog Heen
> UNIX is user friendly, it's just picky about who its friends are