[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security mirrors?

On Mon, Jan 07, 2008 at 02:41:52AM -0200, Carlos Carvalho wrote:
> Users asked us to mirror debian-security. I've seen the security faq
> saying that there are no official mirrors (except those listed in the
> dns as security.debian.org), and unofficial ones are discouraged.
> OTOH, security has an entry in the mirror submission form, and
> security.d.o is open for rsync.
> What's the policy about this now?
> If mirrors are accepted, and recognized, is there a list of them? Is
> push sync available?

(Security has an entry in the mirror submission form because I wanted to
collect information about unofficial mirrors, even if we never do anything
about it. As of today, 41 active sites have since reported that they have
mirrored the security.d.o archive.)

We haven't had much progress on the issue of making these mirrors pushed,
because even though other security team members indicated agreement with
setting up pushed mirrors, Martin Schulze has consistently obstructed it.

The last time I have asked about this was October 22, 2007 through November
2, 2007. I managed to persuade them to at least give me access to the
current three official mirrors to see how much they carry. In the first
couple of days we saw a total average of 24.83 MB/s (198.64 Mbit/s), which
has since shifted down a bit (due to the holiday season); we've also seen
countless rsync connections to the sites; for example right now steffani.d.o
has registered 842 rsync connections since the last DSA two days ago.

This wasn't enough to convince Joey that we're wasting bandwidth and that it
would be a good idea to start doing something about it. So, the status quo
is kept - you can freely molest the security.d.o front-end machines via
rsync, but you can't have them push you in order.

The last correspondence I have about this is:

On Tue, Jan 01, 2008 at 05:40:59AM -0700, Peter Palfrader via RT wrote:
> On Sat, 15 Dec 2007, Josip Rodin via RT wrote:
> > [joy@villa:/org/mirror.debian.org]% sudo -u archvsync [...]
[this is me, mirroradm, having privileges over the files that can do the pushing]
> > joy is not in the sudoers file.  This incident will be reported.
> I talked to Joey and since mirror-adm isn't responsible for the sync to
> the security mirrors there doesn't seem to be a good case for giving you
> this sudo access.

I conceded the issue - yes, mirroradm team isn't responsible for the
security mirrors even though we offered to be - the security team is
responsible. They have been doing things the way they do them now, since
at least 2001 (that's how old the security faq entry about this is),
and have been unwilling to change for the better.

I am tired of fighting this.

     2. That which causes joy or happiness.

Reply to: