[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992692: general: Use https for {deb,security}.debian.org by default

On Thu, Sep 9, 2021 at 6:03 PM Simon Richter wrote:

> Another important argument is that it creates a dependency on
> third-party commercial CDNs, and their *continued* sponsorship.

This dependency on external providers is unavoidable, Debian
definitely cannot afford to run our own CDN at the scale needed to
support our existing userbase. For example the security mirrors
struggled with Linux kernel security updates, so security.d.o switched
to a commercial CDN. Also, we are dependent on continued sponsorship
for all of our infrastructure, paying for all of our hosting is likely
not feasible.


> Debian is very conservative when spending money and generally shies away
> from recurring expenses because we do not want to find us in a situation
> where we are dependent on an external entity making a timely donation in
> order to keep operations running, so I wonder why we are that accepting
> of it in one of our core services, and I certainly don't think we should
> be adding additional roadblocks should we ever need to find an alternative.

DSA setup the CDN provider solution to give the Debian userbase a
better experience than having to choose a mirror and a better
experience than httpredir.d.o's redirect method. We have multiple CDN
providers to mitigate the dependency, and other providers who we
aren't yet using that are offering service. So, as much as I dislike
CDNs as a concept, I recognise that we currently need them and think
that we are able to handle loss of a CDN provider or two.

> We have a (crude) load-balancing framework in infrastructure we control
> that can point requests towards a set of untrusted mirrors, and while
> it's nice that we don't *need* to use this fallback plan, it is
> reassuring it is there.

httpredir.d.o no longer exists, it points at deb.d.o, so it would have
to be rebuilt if we were to need to switch away from CDNs.

Personally I'd like to see a larger variety of Debian delivery
mechanisms; copy Debian/snapshot to archive.org, create a multi-distro
FLOSS CDN, bring back httpredir, DebTorrent and apt-p2p, add an i2p
mirror, use IPFS and content oriented networking etc. Michael Stone's
apt://debian idea seems like a good way to move in that direction
while adding protocol agility.

> If they ask why we're not using HTTPS, yes: it helps clear up the
> misconception that anything with an "s" in it is secure and can be trusted.

The volume of questions about missing https means that it is more
efficient to just use https than to have to reply to new questions
about it.



Reply to: