Re: Q: Use https for {deb,security}.debian.org by default

To: Jeremy Stanley <fungi@yuggoth.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Q: Use https for {deb,security}.debian.org by default
From: Wouter Verhelst <wouter@debian.org>
Date: Sat, 21 Aug 2021 10:40:32 +0200
Message-id: <[🔎] YSC8AKP6UQjYPXIp@pc181009.grep.be>
In-reply-to: <[🔎] 20210820192022.l4zsyvrau2homxdr@yuggoth.org>
References: <[🔎] 20210819223820.fb4a3f7ab23da92a685fe4ce@iijmio-mail.jp> <[🔎] 5790d751-dda8-fab6-601d-ebd8e30433c5@hogyros.de> <[🔎] bb4cdd0c-5490-90b1-1035-53bb42ac4ead@kitware.com> <[🔎] 20210819221132.svidlgyghjfz7qjb@yuggoth.org> <[🔎] 87bl5sh2za.fsf@miraculix.mork.no> <[🔎] 20210820141703.xq3qmqaltoknox7d@yuggoth.org> <[🔎] 87h7fkkvvi.fsf@hope.eyrie.org> <[🔎] edc2d127-e363-8335-cc05-8f8487d63725@hogyros.de> <[🔎] 8735r4kkf1.fsf@hope.eyrie.org> <[🔎] 20210820192022.l4zsyvrau2homxdr@yuggoth.org>

On Fri, Aug 20, 2021 at 07:20:22PM +0000, Jeremy Stanley wrote:
> Yes transparent proxies or overridden DNS lookups could be used to
> direct deb.debian.org and security.debian.org to your alternative
> location,

I've been thinking for a while that we should bake a feature in apt
whereby a network administrator can indicate somehow that there is a
local apt mirror and that apt should use that one in preference to
deb.debian.org.

This could be useful for both the "I've got a slow uplink and would like
it to not be overwhelmed at the BSP I'm hosting for my Debian friends"
type as well as the "I'm an ISP and I want to provide a mirror to Debian
users so we can reduce our uplink connection a bit" type of situations.

However, I've not been able to come up with a scheme which is simple
enough to be doable on a LAN while at the same time be usable by larger
network providers, *and* which can't also be abused by MitM attackers.

Perhaps it's just not something we would be able to do?

-- 
     w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}

Reply to:

Follow-Ups:
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Tobias Frost <tobi@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Philip Hands <phil@hands.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Phil Morrell <debian@emorrp1.name>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Helmut Grohne <helmut@subdivi.de>

References:
- Q: Use https for {deb,security}.debian.org by default
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Kyle Edwards <kyle.edwards@kitware.com>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Bjørn Mork <bjorn@mork.no>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Simon Richter <sjr@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Russ Allbery <rra@debian.org>
- Re: Q: Use https for {deb,security}.debian.org by default
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Re: inconsistent mailgraph settings
Next by Date: Re: inconsistent mailgraph settings
Previous by thread: Re: Q: Use https for {deb,security}.debian.org by default
Next by thread: Re: Q: Use https for {deb,security}.debian.org by default
Index(es):
- Date
- Thread