Re: Q: Use https for {deb,security}.debian.org by default

To: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: Russ Allbery <rra@debian.org>
Date: Fri, 20 Aug 2021 12:04:02 -0700
Message-id: <[🔎] 8735r4kkf1.fsf@hope.eyrie.org>
In-reply-to: <[🔎] edc2d127-e363-8335-cc05-8f8487d63725@hogyros.de> (Simon Richter's message of "Fri, 20 Aug 2021 20:37:04 +0200")
References: <[🔎] 20210819223820.fb4a3f7ab23da92a685fe4ce@iijmio-mail.jp> <[🔎] 5790d751-dda8-fab6-601d-ebd8e30433c5@hogyros.de> <[🔎] bb4cdd0c-5490-90b1-1035-53bb42ac4ead@kitware.com> <[🔎] 20210819221132.svidlgyghjfz7qjb@yuggoth.org> <[🔎] 87bl5sh2za.fsf@miraculix.mork.no> <[🔎] 20210820141703.xq3qmqaltoknox7d@yuggoth.org> <[🔎] 87h7fkkvvi.fsf@hope.eyrie.org> <[🔎] edc2d127-e363-8335-cc05-8f8487d63725@hogyros.de>

Simon Richter <sjr@debian.org> writes:

> I support that idea in principle, but one of our user stories is "I have
> a datacenter with a few thousand containers in it, so I want to redirect
> accesses to the local mirror to reduce external network traffic."

Just checking that I understand.  You have several thousand containers
that you're running in your data center but cannot modify and whose
network access specifically to Debian apt mirrors you want to intercept
and redirect, and you're relying on them using http instead of https in
order to be able to do this?

One of the things that confuses me about this user story is why are your
containers doing non-trivial amounts of apt traffic at runtime?  Generally
the whole point of a container is that you only do this during container
build time.  I'm not sure I understand how you have gotten into a
situation where you have containers that you can't modify but that are
self-modifying (by updating apt packages) at runtime.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>

References:
- Q: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>

Prev by Date: Re: Re: Proposal to create unstable-proposed-updates suite for use during freeze
Next by Date: Re: Q: Use https for {deb,security}.debian.org by default
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread