Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)

To: debian-devel@lists.debian.org
Subject: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
From: Paul Wise <pabs@debian.org>
Date: Tue, 25 Oct 2016 11:26:06 +0800
Message-id: <[🔎] CAKTje6G65HcaB1skFX2iKybCg3Hv8DJXibF1SJ1ktSAcSaGiHA@mail.gmail.com>
In-reply-to: <[🔎] 87k2cxiaoq.fsf@hope.eyrie.org>
References: <[🔎] CAPgP4gxcptXTNcEFb5Jf+SkAYPWSuXwRVAoiqmABG_+gDCdGYw@mail.gmail.com> <[🔎] 580CC7E3.2030301@debian.org> <[🔎] CAPgP4gwkkfhsfUMzGqT6AWqFnL7u2dazBvbj1ZPTpjQy0WTQeA@mail.gmail.com> <[🔎] 580CED6C.8070206@debian.org> <[🔎] 87oa2amqew.fsf@hope.eyrie.org> <[🔎] 20161024093354.er5mc6sp7w23f5ka@bunk.spdns.de> <[🔎] 8737jlk980.fsf@hope.eyrie.org> <[🔎] 20161024220509.yq72vjstnpoozc4i@bunk.spdns.de> <[🔎] 87k2cxiaoq.fsf@hope.eyrie.org>

On Tue, Oct 25, 2016 at 7:33 AM, Russ Allbery wrote:

> Tor is easier for us as a project, since we don't really have to do
> anything (assuming we just rely on existing exit nodes).

Debian has Tor onion service frontends to various Debian services,
including several Debian machines with archive mirrors, this is
implemented in an automated way using Puppet and onionbalance. So we
do not rely on Tor exit nodes, just relays and the onion service
system.

https://onion.debian.org/
https://anonscm.debian.org/cgit/mirror/dsa-puppet.git/tree/modules/onion

> SSL is much harder for us as a project

For most debian.org services run by DSA, enabling SSL on a service is
one git commit away, thanks to Lets Encrypt.

Some things like snapshot are harder due to software or other issues.
For snapshot, varnish is the frontend and it doesn't support SSL.

All the debian.org mirrors except ftp.d.o are not actually run by DSA
and DSA occasionally need to change which domain points to which
mirror, so SSL for them is much more complicated.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>

References:
- Re: When should we https our mirrors?
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Adrian Bunk <bunk@stusta.de>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Adrian Bunk <bunk@stusta.de>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Next by Date: "PIE by default" transition is underway -- wiki needs updating
Previous by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Next by thread: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Index(es):
- Date
- Thread