[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security mirrors?

On Mon, 2008-01-14 at 00:02 +0100, Simon Paillard wrote:
> On Sat, Jan 12, 2008 at 11:32:15AM +0100, Josip Rodin wrote:
> > On Mon, Jan 07, 2008 at 02:41:52AM -0200, Carlos Carvalho wrote:

> > This wasn't enough to convince Joey that we're wasting bandwidth and that it
> > would be a good idea to start doing something about it. So, the status quo
> > is kept - you can freely molest the security.d.o front-end machines via
> > rsync, but you can't have them push you in order.
> Obsiously havin few security mirrors concentrates bandwidth needs.
> But in my opinion, having few security mirrors is a way to be almost
> sure about their status.
> We already experienced official Debian mirrors (supposed to be pushed)
> being out of date, because its admin doesn't take car of it as it should.
> But if the security mirror configured on a host is unreachable or
> outdated, it's by far worse than having the standard archive outdated.
> That's why I think we can spread the security mirror load on a few
> mirrors, but they must be selected with much care.
> Other possibility : implement automatic testing/round robin for
> security.d.o so that only up to date hosts are take into account (we
> should avoid individual security mirror if we are not sure about its
> reliability).

I'm involved in a research project that tries to solve these problems
(and some others, as well :). We are currently working on a secure
drop-in replacement for the current Debian mirroring tools based on the
FirePatch protocol [1]. Having this, security updates can safely be
carried by any untrusted 3rd-party mirror.

Although, I currently only have a generic implementation of the
FirePatch protocol, I do hope that once we start to get the Debian tools
up and running, the community will be interested.

[1] http://www.iad.cs.uit.no/pubs/firepatch.pdf

  Håvard Johansen

Reply to: