Re: HTTPS metadata in Mirrors.masterlist?
On 13484 March 1977, Colin Watson wrote:
>> Would it be possible, then, to add "Archive-https: /debian/" to the
>> "Site: mirrors.kernel.org" stanza in Mirrors.masterlist, and perhaps
>> start maintaining Archive-https fields for other mirrors willing to
>> participate? That would at least get a minimal list started for this
>> mode.
The list should be the smallest problem, one more field doesn't matter
too much.
The biggest problem I see is with what Kurt posted:
> So the first question I have about this if we can get
> ftp.TLD.debian.org certificates for this, and what happens when
> that host is down and DNS gets pointed to a different host?
> I have to guess that we should only do that on the hostname that
> is not ftp.TLD.debian.org, while I think it now only shows that
> name?
I see no real problem in getting certificates for those domains - way
more interesting is the handling of them. ftp.*.d.o gets pointed around
to other mirrors when the usual "owner" of it is down for whatever
reason. Depending on the country it may also end up on mirrors really
far away (better that than no ftp.whatever.d.o). So some mirror
somewhere may not just need one of those certs, but multiple[1]. And a
single cert/key must be on loads of mirrors. And then comes handling of
renewals too.
So only using it on the mirrors actual hostname would be sensible.
Which would mean extra entries in the mirror list, should the mirror be
able to run ftp.*.d.o, as (currently) the Archive-* entries are only
path values, not full urls, so they apply to all Site: and Alias: tags.
(Plus much more mirror config for their apache/nginx/whatever, but thats
true for https anyways)
[1] Unless we really can do a wildcard of ftp.*.debian.org, which I dont
know, but which would allow mirror admins to use it for
ftp.anything.debian.org too. Huh.
--
bye, Joerg
'To Start Press Any Key'. Where's the ANY key?
Reply to: