Re: HTTPS metadata in Mirrors.masterlist?
- To: debian-mirrors@lists.debian.org
- Subject: Re: HTTPS metadata in Mirrors.masterlist?
- From: Axel Beckert <abe@debian.org>
- Date: Wed, 10 May 2017 10:36:33 +0200
- Message-id: <[🔎] 20170510083632.GC6510@sym.noone.org>
- Mail-followup-to: debian-mirrors@lists.debian.org
- In-reply-to: <20170409172409.GA11499@shell.thinkmo.de>
- References: <20140211130429.GA18442@riva.ucam.org> <20140211134553.GA20550@riva.ucam.org> <8738jkogc5.fsf@gkar.ganneff.de> <20170406212035.GI6510@sym.noone.org> <alpine.DEB.2.10.1704071614210.19268@stalin.acc.umu.se> <20170409093700.GJ6344@sarek.noreply.org> <20170409100732.GQ6510@sym.noone.org> <20170409172409.GA11499@shell.thinkmo.de>
Hi,
Bastian Blank wrote:
> On Sun, Apr 09, 2017 at 12:07:33PM +0200, Axel Beckert wrote:
> > Peter Palfrader wrote:
> > > Adding https just makes this a whole extra mess.
> > As outlined in my recent mail I don't think that it's that much of an
> > extra-effort once we track HTTPS in Mirrors.masterlist. And I
> > especially think the gain outweighs the additional effort.
>
> Please describe a workflow that allows us to re-point ftp.*.debian.org at
> will without intervention of the admin of the real system.
IIRC I outlined this before: A wild card certificate for
ftp.*.debian.org (or ftp*.*.debian.org as there are hostnames like
ftp2.de.debian.org out there) on those DSA-controlled machines like
kassia which work as temporary replacement.
> No, Let's Encrypt does not help, as this only allows to add live
> hostnames to certificates.
I'm fully aware of that. But as Mattias Wadenstein already outline,
there's also a slightly bumpy way to do that if you really want to use
LE for that. I'd prefer a wild card certificate.
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Reply to: