Re: Request for I2P access from those hosting a debian mirror
Hi,
yxjxxcmht@sigaint.org wrote:
> >Since I2P is not yet[1] available in Debian, the chances for this are low.
>
> I understand. But aren't the mirrors voluntarily ran?
Yes.
> Wouldn't it be up to them to run such a service if they decided to?
Yes. I only stated that the probability is low, but not that it's
zero. :-)
> >[1] https://bugs.debian.org/448638
>
> Looks like killyourtv has some I2P packages for debian that work. I think
> he also manages the Tails I2P package.
I've just pinged someone from the Tails project who pings the one
who's doing the I2P packages for Tails to see if we can't include them
in Debian in the future, too.
So thanks for making me aware of that RFP.
> > There's though apt-transport-tor, [...]
>
> That is a nice feature. I see a few minor problems however.
> Tor is not designed by default to make end to end encrypted connections
> between clients and servers, at least not without server configuration
> such as hosting an onion service.
Granted.
> Alternatively the server might allow https, which is good for
> privacy but seeing as the software is checked in apt regardless it
> is really not a vast security improvement. The HTTPS requires paying
> a certificate authority to validate and sign the repositories cert,
> it also requires the users trust the certificate authorities are not
> compromised by exploit or secret laws.
See also https://lists.debian.org/debian-mirrors/2014/10/msg00011.html
for that discussion.
>From my point of view the main practical issue is that any official
primary mirror would even need two SSL certificates: One from the guys
running the mirror and one from Debian. And this again would mean we
need to use SNI. (Which though should be no technical issue nowadays,
but reduces privacy again as the virtual host name being used in the
request is no more encrypted.)
Let me explain that with an example:
ftp.ch.debian.org is the same machine as debian.ethz.ch
Since ftp.ch.debian.org is a CNAME to debian.ethz.ch, they have the
same IP addresses.
Hence I can only enable HTTPS for either both or none. So I would need
SSL certificates for both hostnames. Since they have different domain
names it's defacto impossible to get them into a single certificate if
it should be signed by any CA in Debian and the commonly known web
browsers.
So I'd need one certificate from Debian and one from ETHZ.
Additionally, in case of an announced longer downtime of
debian.ethz.ch, the ftp.ch.debian.org CNAME usually points to some
other debian mirror (usually ftp.de.debian.org, ftp2.de.debian.org or
ftp.nl.debian.org) -- which again may not provide HTTPS or may provide
HTTPS but does not have an SSL certificate with ftp.ch.debian.org as
subjectAltName and hence cause warnings despite everything is setup as
it was wanted.
This may become simpler in the future with DANE/TLSA, but for that all
involved parties need DNSSEC. (debian.org has DNSSEC, but e.g. ethz.ch
hasn't yet.)
> I am asking for some of the repository operators to consider and perhaps
> research what it would take to host an I2P tunnel to their mirror.
Thanks for the explanations!
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
`- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
Reply to: