Re: Possibly moving Debian services to a CDN
> On 2013-11-14 05:20:12, Tollef Fog Heen wrote:
> > ]] anarcat
> >> All the tools currently running the Debian mirror architecture. Some
> >> mirrors may run an FTP mirror on a non-free software, but they don't
> >> *have* to, and we unfortunately can't control that.
> > No, they can't. You can't route a packet through the public internet
> > without it hitting non-free software.
> You can't *right now*. I assume you are talking in part of those cisco
> switches that litter the network, and I can tell you a lot of people are
> tired of those - for example Facebook (of all places...) is building an
> open alternative for those.
I'm not aware of any open source 40GE PHYs for instance? Most of what
I've seen done is around SDN, which is all nice and good, but doesn't
actually make the PHY and MAC firmware free. I haven't been trawling
around, so maybe it's further ahead than I thought.
> > Heck, you can't get a normal server that will run without non-free
> > software. (If nothing else, firmware for the ethernet controller or
> > the firmware for the EC or disks.)
> Sure, but we at least try. A lot of great people are working on coreboot
> and such initiatives that go a long way, probably farther that we've
> ever been, in making sure that the stack is as open as we can.
Even if you restrict yourself to the main UEFI implementation, can you
even get anything free for a modern server there? With warranties?
Having to void your warranty to run a free UEFI implementation is not
something we'd like to do.
> > This is not a two-tone discussion and trying to make it one will not
> > lead to a useful outcome.
> And saying that "because there's proprietary firmware in your BIOS it's
> okay to offload all of Debian's infrastructure to a non-free CDN is okay"
> seems to me to be a slippery slope.
Nobody has talked about moving all of Debian's infrastructure.
> > It's not a vote, and it's easy for the people who do not have to do
> > anything but send mails to a mailing list to say «we should spend more
> > effort».
> Well, if it's not a vote, and if my opinion doesn't actually matter, why
> are we discussing this on -project in the first place?
We were hoping to get some useful feedback.
> And the improvements necessary to get this to a "commercial-grade" CDN
> doesn't seem to me like much more: some IP alias on the mirror machine,
> and BGP announcements.
> Am I missing something?
Yes. If you're just anycasting an IP, you'll get pretty poor
performance. You need monitoring to make sure the mirror is up to date
and something that automatically updates DNS when it isn't, and puts it
back in when it is. You need to herd the mirror operators, keep them
happy, make sure they're using the right tools so you don't get
transient breakages in the middle of a mirror run. If you're going to
do anycast, you'll need to have BGP announcements sent from a diverse
set of places. You need to monitor your BGP stuff, trace down why you
get suboptimal routing for a given user and get that fixed. You'll need
to run GeoDNS and correlate that with routing so hopefully, the user
hits the best server.
And that's just a few items off the top of my head.
Running a CDN is not hard. Running a CDN well, over time, is hard. It's
something that DSA would not add value by doing ourselves, just like we
would not add value by creating our own OOB solutions or soldering
together our own UPSes. It's not that we can't, it's that it's cheaper
and more reliable to buy a ready-made solution and most important of
all: it's not part of our core mission. It's a means to an end, not an
end goal in itself.
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are