Re: Mirror keys?
wiz ger wrote:
> I've been puzzling over how to set up a push client mirror. Specifically,
> how to get hold of the public key for the upstream mirror. I need to put
> that key in my authorized key file to allow the upstream mirror to trigger
> the sync.
You get them from the adminstrator of your upstream mirror. Did you ask
them already if they will push to your mirror?
> Since what I want is a local copy of the debian-security,
debian-security AFAIK is not offered by push for the public.
You though can do a simple cron based rsync. That's what we do. But
please use your local copy only as cache and still include
security.debian.org in your sources.list.
E.g. we use
deb http://security.debian.ethz.ch/ stable/updates main
deb http://security.debian.org/ stable/updates main
in our sources.list files.
If the package is already in the local cache, it's fetched from there,
otherwise it's fetched from one of the security.debian.org servers.
> I did an nslookup on security.debian.org, put the resulting IP
I do get 6 different IPs for security.debian.org... (May vary
depending on your location on the globe.)
> into a web browser and then endded up at schein.debian.org. Then
> searching within db.debian.org I searched for schein and was able to
> copy the public key from the resulting webpage.
That's its SSH host key, not a push mirror key.
> This works, but seems a bit convoluted. Also, it doesn't work for a mirror
> such as ftp.ca.mirror.org
I think you mean ftp.ca.debian.org.
> because this server doesn't have an entry at db.debian.org.
Many mirrors are run by local people (not necessarily Debian
Developers) and do not run on Debian-owned machines.
E.g. the mirror I administrate is owned and run by my university. As
with many ftp.$COUNTRY.debian.org DNS entries, they're only CNAME
entries pointing to a DNS record under control of the local admins. In
my case ftp.ch.debian.org points to debian.ethz.ch.
> We are encouraged to pull from the mirrors (www.debian.org/mirror/ftpmirror),
> shouldn't the keys be easily available?
No, because they're just needed for push-mirrors and for that, someone
on the other end needs to setup the push. If you want to be pushed by
a specific mirror, try to find his administrator (e.g. by looking up
the sponsor of a mirror at https://www.debian.org/mirror/sponsors),
e.g. if you want to get pushed by ftp.ch.debian.org, you would likely
contact the helpdesk of the IT of the Department of Physics at ETH
Zurich (as mentioned on http://ftp.ch.debian.org/).
http://ftp.ca.debian.org/ unfortunately doesn't seem to provide such
information on the web page, but at least one of the servers seems to
be run by iweb.ca.
Hope this makes things clearer.
,''`. | Axel Beckert <firstname.lastname@example.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5