Re: Mirror keys?

To: wiz ger <max.u.789@gmail.com>
Cc: debian-mirrors@lists.debian.org
Subject: Re: Mirror keys?
From: Axel Beckert <abe@debian.org>
Date: Mon, 31 Mar 2014 20:43:04 +0200
Message-id: <[🔎] 20140331184304.GY24124@phys.ethz.ch>
Mail-followup-to: wiz ger <max.u.789@gmail.com>, debian-mirrors@lists.debian.org
In-reply-to: <[🔎] CACrDHcKopKxvMVt4Gkh7CV5bGbtRgAm_8qfh2ZscyAmD9oPe4Q@mail.gmail.com>
References: <[🔎] CACrDHcKopKxvMVt4Gkh7CV5bGbtRgAm_8qfh2ZscyAmD9oPe4Q@mail.gmail.com>

Hi Max,

wiz ger wrote:
> I've been puzzling over how to set up a push client mirror. Specifically,
> how to get hold of the public key for the upstream mirror. I need to put
> that key in my authorized key file to allow the upstream mirror to trigger
> the sync.

You get them from the adminstrator of your upstream mirror. Did you ask
them already if they will push to your mirror?

> Since what I want is a local copy of the debian-security,

debian-security AFAIK is not offered by push for the public.

You though can do a simple cron based rsync. That's what we do. But
please use your local copy only as cache and still include
security.debian.org in your sources.list.

E.g. we use

  deb http://security.debian.ethz.ch/ stable/updates main
  deb http://security.debian.org/ stable/updates main

in our sources.list files.

If the package is already in the local cache, it's fetched from there,
otherwise it's fetched from one of the security.debian.org servers.

> I did an nslookup on security.debian.org, put the resulting IP

I do get 6 different IPs for security.debian.org... (May vary
depending on your location on the globe.)

> into a web browser and then endded up at schein.debian.org. Then
> searching within db.debian.org I searched for schein and was able to
> copy the public key from the resulting webpage.

That's its SSH host key, not a push mirror key.

> This works, but seems a bit convoluted. Also, it doesn't work for a mirror
> such as ftp.ca.mirror.org

I think you mean ftp.ca.debian.org.

> because this server doesn't have an entry at db.debian.org.

Many mirrors are run by local people (not necessarily Debian
Developers) and do not run on Debian-owned machines.

E.g. the mirror I administrate is owned and run by my university. As
with many ftp.$COUNTRY.debian.org DNS entries, they're only CNAME
entries pointing to a DNS record under control of the local admins. In
my case ftp.ch.debian.org points to debian.ethz.ch.

> We are encouraged to pull from the mirrors (www.debian.org/mirror/ftpmirror),
> shouldn't the keys be easily available?

No, because they're just needed for push-mirrors and for that, someone
on the other end needs to setup the push. If you want to be pushed by
a specific mirror, try to find his administrator (e.g. by looking up
the sponsor of a mirror at https://www.debian.org/mirror/sponsors),
e.g. if you want to get pushed by ftp.ch.debian.org, you would likely
contact the helpdesk of the IT of the Department of Physics at ETH
Zurich (as mentioned on http://ftp.ch.debian.org/).

http://ftp.ca.debian.org/ unfortunately doesn't seem to provide such
information on the web page, but at least one of the servers seems to
be run by iweb.ca.

Hope this makes things clearer.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Reply to:

References:
- Mirror keys?
  - From: wiz ger <max.u.789@gmail.com>

Prev by Date: Mirror keys?
Previous by thread: Mirror keys?
Index(es):
- Date
- Thread