Re: Debian Security

To: debian-user@lists.debian.org
Subject: Re: Debian Security
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Sat, 24 Jul 2021 09:33:42 +0000
Message-id: <[🔎] YPvedv4AOknIPg3o@einval.com>
In-reply-to: <[🔎] ad8b972c-a295-df45-77c0-80ab8f485cae@polynamaude.com>
References: <[🔎] ad8b972c-a295-df45-77c0-80ab8f485cae@polynamaude.com>

On Sat, Jul 24, 2021 at 01:07:24AM -0400, Polyna-Maude Racicot-Summerside wrote:
> Hi !
> How would you copy the debian security update repository ?
> I know it's not recommended.
> But I'd like to do so.
> -- 
> Polyna-Maude R.-Summerside
> -Be smart, Be wise, Support opensource development
> 

In general, this is a very bad idea because - and only because - you don't want
the possibility of machines getting incorrect / out of date fixes.
Security-critical things are security-critical - trying to maintain one
canonical source of truth where uploads are moderated and from a known source
is hard. Forcing people to go to the one source solves that problem in one
sense (and may also lessen the risk of some Evil Hacker maintaining a 
security repository stuffed with malware and spoofing).
[Having said all that: I've a feeling that security.d.o is actually a set
of servers to serve Europe/Asia/N. America behind the content delivery
network.]

If you really, really, really want to do it properly: I'd suggest approaching
the people in charge of security.d.o, having a conversation about exactly
what you want to do, why and for how many people. You'd probably need to 
assure tham that your mirror will be relatively secure from attack - so their
machines are not at risk - and then arrange for some form of push mirroring, 
so that they push updates to you at their convenience. This means that they
will need the ability to have an account on your machine sufficiently to
use ssh and forced commands to push the updates.

Debian mirrors in general are updated about four times a day and it's 
asynchronous. Pushed updates mean that everyone gets a drip feed of updates
whenever they're published. This is how several of us currently run private
mirrors for the main Debian distribution.

Unless you are a bank / government agency / pharmaceutical company that 
keeps all critical systems airgapped and entirely isolated from the Internet, 
maintaining a separate security mirror may be more trouble than it's worth
in my opinion.

All the very best, as ever,

Andy Cater

Reply to:

Follow-Ups:
- Re: Debian Security
  - From: Polyna-Maude Racicot-Summerside <debian@polynamaude.com>

References:
- Debian Security
  - From: Polyna-Maude Racicot-Summerside <debian@polynamaude.com>

Prev by Date: Re: Debian Security
Next by Date: Re: different internet speed in debian and smart phone
Previous by thread: Re: Debian Security
Next by thread: Re: Debian Security
Index(es):
- Date
- Thread