Hi, On 2021-07-24 5:33 a.m., Andrew M.A. Cater wrote: > On Sat, Jul 24, 2021 at 01:07:24AM -0400, Polyna-Maude Racicot-Summerside wrote: >> Hi ! >> How would you copy the debian security update repository ? >> I know it's not recommended. >> But I'd like to do so. >> -- >> Polyna-Maude R.-Summerside >> -Be smart, Be wise, Support opensource development >> > > In general, this is a very bad idea because - and only because - you don't want > the possibility of machines getting incorrect / out of date fixes. > Security-critical things are security-critical - trying to maintain one > canonical source of truth where uploads are moderated and from a known source > is hard. Forcing people to go to the one source solves that problem in one > sense (and may also lessen the risk of some Evil Hacker maintaining a > security repository stuffed with malware and spoofing). > [Having said all that: I've a feeling that security.d.o is actually a set > of servers to serve Europe/Asia/N. America behind the content delivery > network.] > > If you really, really, really want to do it properly: I'd suggest approaching > the people in charge of security.d.o, having a conversation about exactly > what you want to do, why and for how many people. You'd probably need to > assure tham that your mirror will be relatively secure from attack - so their > machines are not at risk - and then arrange for some form of push mirroring, > so that they push updates to you at their convenience. This means that they > will need the ability to have an account on your machine sufficiently to > use ssh and forced commands to push the updates. > > Debian mirrors in general are updated about four times a day and it's > asynchronous. Pushed updates mean that everyone gets a drip feed of updates > whenever they're published. This is how several of us currently run private > mirrors for the main Debian distribution. > > Unless you are a bank / government agency / pharmaceutical company that > keeps all critical systems airgapped and entirely isolated from the Internet, > maintaining a separate security mirror may be more trouble than it's worth > in my opinion. > Thanks for all those explanation. I was thinking about using maybe aptly and signing my own repository. This wouldn't be a direct copy of security updates @ debian.org but would be my own. I understand the risk involved but I can assume this risk. The same way I assume some risk and choose to go on the safe side for other. For example, I don't encrypt my hard disk partition, that's a choice I assume. But I do use SSH on my home network instead of password. There's no risk of "evil hacker" but as I install Debian into people's home and some of them have limited bandwidth, even paying big extras for GB when you are in the deep country side. So I can't assume the customer can have access to the security updates that will be installed after the normal Debian installation. Already that they'll need to keep themselves up to date and this will incur some fees, it's better if I limit those at installation. > All the very best, as ever, > > Andy Cater > > -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature