Re: When should we https our mirrors?

To: debian-devel@lists.debian.org
Subject: Re: When should we https our mirrors?
From: Tollef Fog Heen <tfheen@err.no>
Date: Sun, 16 Oct 2016 08:52:47 +0200
Message-id: <[🔎] 87shrwkcow.fsf@fehawnok.err.no>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] CANBHLUhaVEBTb+4TQgicx2pfkYKoH4SZwc8DTh+wGPnKc-LDcg@mail.gmail.com> (Dimitri John Ledkov's message of "Sun, 16 Oct 2016 06:31:51 +0100")
References: <[🔎] 20161015180336.GA19899@cassiel.pault.ag> <[🔎] 87instl8ic.fsf@fehawnok.err.no> <[🔎] CANBHLUhaVEBTb+4TQgicx2pfkYKoH4SZwc8DTh+wGPnKc-LDcg@mail.gmail.com>

]] Dimitri John Ledkov 

> I'm not a sysadmin. My naive approach would be to have cname specified
> on the certs that are subject to redirect. E.g. ftp.d.o should have
> cname's for all country codes, such that any country mirror can fall
> back to ftp.d.o.

This would restrict us to always point a ftp.XX.d.o name to ftp.d.o.
Sometimes, it'd be more appropriate to point it to a closer geographical
mirror.  (Say ftp.nz were performing maintenance, it'd be a lot more
reasonable to send that traffic to Australia than to the Netherlands.)

Is this impossible to fix/work around?  No.  However, it requires more
thought and design than just slapping a few letsencrypt certs onto
some hosts.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

References:
- When should we https our mirrors?
  - From: Paul Tagliamonte <paultag@debian.org>
- Re: When should we https our mirrors?
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: When should we https our mirrors?
  - From: Dimitri John Ledkov <xnox@debian.org>

Prev by Date: Bug#840918: ITP: node-string-decoder -- The string_decoder module from Node core
Next by Date: Re: When should we https our mirrors?
Previous by thread: Re: When should we https our mirrors?
Next by thread: Re: When should we https our mirrors?
Index(es):
- Date
- Thread