[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security mirrors?

On Sat, Jan 12, 2008 at 11:32:15AM +0100, Josip Rodin wrote:
> On Mon, Jan 07, 2008 at 02:41:52AM -0200, Carlos Carvalho wrote:
> > Users asked us to mirror debian-security. I've seen the security faq
> > saying that there are no official mirrors (except those listed in the
> > dns as security.debian.org), and unofficial ones are discouraged.
> > OTOH, security has an entry in the mirror submission form, and
> > security.d.o is open for rsync.
> > 
> > What's the policy about this now?
> > 
> > If mirrors are accepted, and recognized, is there a list of them? Is
> > push sync available?
> The last time I have asked about this was October 22, 2007 through November
> 2, 2007. I managed to persuade them to at least give me access to the
> current three official mirrors to see how much they carry. In the first
> couple of days we saw a total average of 24.83 MB/s (198.64 Mbit/s), which
> has since shifted down a bit (due to the holiday season); we've also seen
> countless rsync connections to the sites; for example right now steffani.d.o
> has registered 842 rsync connections since the last DSA two days ago.
> This wasn't enough to convince Joey that we're wasting bandwidth and that it
> would be a good idea to start doing something about it. So, the status quo
> is kept - you can freely molest the security.d.o front-end machines via
> rsync, but you can't have them push you in order.

Obsiously havin few security mirrors concentrates bandwidth needs.

But in my opinion, having few security mirrors is a way to be almost
sure about their status.

We already experienced official Debian mirrors (supposed to be pushed)
being out of date, because its admin doesn't take car of it as it should.

But if the security mirror configured on a host is unreachable or
outdated, it's by far worse than having the standard archive outdated.

That's why I think we can spread the security mirror load on a few
mirrors, but they must be selected with much care.

Other possibility : implement automatic testing/round robin for
security.d.o so that only up to date hosts are take into account (we
should avoid individual security mirror if we are not sure about its


Simon Paillard

Reply to: