Re: Q: Use https for {deb,security}.debian.org by default

[Philip Hands <phil@hands.com>]

Wouter Verhelst <wouter@debian.org> writes:

> On Fri, Aug 20, 2021 at 07:20:22PM +0000, Jeremy Stanley wrote:
>> Yes transparent proxies or overridden DNS lookups could be used to
>> direct deb.debian.org and security.debian.org to your alternative
>> location,
>
> I've been thinking for a while that we should bake a feature in apt
> whereby a network administrator can indicate somehow that there is a
> local apt mirror and that apt should use that one in preference to
> deb.debian.org.
>
> This could be useful for both the "I've got a slow uplink and would like
> it to not be overwhelmed at the BSP I'm hosting for my Debian friends"
> type as well as the "I'm an ISP and I want to provide a mirror to Debian
> users so we can reduce our uplink connection a bit" type of situations.
>
> However, I've not been able to come up with a scheme which is simple
> enough to be doable on a LAN while at the same time be usable by larger
> network providers, *and* which can't also be abused by MitM attackers.

We could declare that if one can find a TXT record in the local domain
(e.g. _DEBIAN_LOCAL_ARCHIVE.example.com) then one should use its
contents in order to configure an additional source for packages, such
that one gets the signed Release file from one's normally configured
sources, and then when getting subsequent files gives the local source a
try, falling back to the normal setup when downloads or checksums fail.

I can see that one could try a DoS of sorts by setting up the TXT record
to point at a tarpit, say, but that could be handled by setting short
timeouts, and giving up on the local server after some number of failures.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY