Re: [SECURITY] [DSA 3547-1] imagemagick security update

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Tue, Apr 12, 2016, at 16:47, Peter Palfrader wrote:
> On Tue, 12 Apr 2016, Henrique de Moraes Holschuh wrote:
> 
> > We list several mirrors carrying debian security updates in
> > https://www.debian.org/mirror/list-full
> 
> I think we shouldn't.

Well, we do, regardless of whether we should or shouldn't.

And, unless we add an alternate-security.d.o or do something else to
offer a backup access for those that get a single choice out of geoip,
it is probably best to not hide that information IMO.

> > We don't disclose which mirrors are members of the security.debian.org
> 
> https://anonscm.debian.org/cgit/mirror/dsa-auto-dns.git/tree/zones/security.debian.org.zone
> 
> is the file that the security.d.o zone is generated from.

Thanks. That helps.

> > Alternate access URIs for several of the security.debian.org pool
> > members *do* exist, but that information seems not to be clearly
> > displayed anywhere.
> 
> They do?  Anything we actually tell people to use?

Yes, they do. And no, we don't tell people to use them.

It is not any sort of a secret, but since you guys don't want people who
doesn't know better pointing apt to them, I am not naming them here.

> > A good starting point would be to provide a list of official security
> > mirrors (potential members of the security.debian.org pool) that can be
> > accessed directly when geo-ip is directing an user to a pool member that
> > is stale.
> 
> No.  We derotate mirrors regularly for maintenance work.  We don't want
> users to pick their security.d.o mirror.

Then, maybe we should consider a better way to deal with areas where you
get only one choice out of geoip?

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique de Moraes Holschuh <hmh@debian.org>