Re: WTF: Debian security, ex. Linux kernel vulnerabilities

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Steinar H. Gunderson
On Tue, Sep 20, 2005 at 03:50:14PM +0200, Andreas Barth wrote:
> s.d.o is not offline, just the full bandwith is used by people
> downloading a security update.

Do we need mirrors for security.debian.org? I would be happy to host such a
mirror if debian-security would want it.

/* Steinar */
--
Homepage: http://www.sesse.net/


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Andreas Barth
* Steinar H. Gunderson ([hidden email]) [050920 16:21]:
> On Tue, Sep 20, 2005 at 03:50:14PM +0200, Andreas Barth wrote:
> > s.d.o is not offline, just the full bandwith is used by people
> > downloading a security update.

> Do we need mirrors for security.debian.org? I would be happy to host such a
> mirror if debian-security would want it.

Including your offer, there are at least 4 offers I know of as of now.
And if we ask, I'm pretty sure we're able to get much more.


Cheers,
Andi


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Bob Tanner
In reply to this post by Steinar H. Gunderson
On Tuesday 20 September 2005 09:00 am, Steinar H. Gunderson wrote:
> On Tue, Sep 20, 2005 at 03:50:14PM +0200, Andreas Barth wrote:
> > s.d.o is not offline, just the full bandwith is used by people
> > downloading a security update.
>
> Do we need mirrors for security.debian.org? I would be happy to host such a
> mirror if debian-security would want it.

Same here.  Reach out to the community and let us help.


--
Bob Tanner <[hidden email]>          | Phone : (952)943-8700
http://www.real-time.com, Minnesota, Linux | Fax   : (952)943-8500
Key fingerprint = AB15 0BDF BCDE 4369 5B42  1973 7CF1 A709 2CC1 B288

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Andreas Barth
* Bob Tanner ([hidden email]) [050920 16:39]:
> Same here.  Reach out to the community and let us help.

Well, the basic problem with mirrors is:
* How can we be sure that all mirrors are synced _very_ fast? We will
  probably get more negative feedback if some mirrors are delayed by
  more than 10 minutes (and some of our normal mirrors are _way_ worse).
* How do we make sure that potential issues can be fixed "fast enough"?

Of course, none of these questions is unsolveable, and there are
currently discussions underway how we can do it sensible, but it's not
as trivial as one might hope in the beginning of that discussion.


Still, thank you very much for your offer (and I really hope that we can
make use of the mirroring offters one day).


Cheers,
Andi


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Floris Bruynooghe
In reply to this post by Andreas Barth
On Tue, Sep 20, 2005 at 04:23:14PM +0200, Andreas Barth wrote:

> * Steinar H. Gunderson ([hidden email]) [050920 16:21]:
> > On Tue, Sep 20, 2005 at 03:50:14PM +0200, Andreas Barth wrote:
> > > s.d.o is not offline, just the full bandwith is used by people
> > > downloading a security update.
>
> > Do we need mirrors for security.debian.org? I would be happy to host such a
> > mirror if debian-security would want it.
>
> Including your offer, there are at least 4 offers I know of as of now.
> And if we ask, I'm pretty sure we're able to get much more.

Some of the mirrors are mirroring security already.  Take one of my
home mirrors for example:  ftp.kulent.kuleuven.ac.be, they have a
debian-security directory that, upon inspection, looks like real
security.

No, I don't use it as security since it's unofficial.  I suspect
however it is their own way of apt-proxying security for themselves
(they have a lot of hosts afaik).

If this was made official in some way I'd be more then happy to use a
mirror.

Greetigs
Floris


--
Debian GNU/Linux -- The power of freedom
www.debian.org | www.gnu.org | www.kernel.org


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Bjørn Mork-2
In reply to this post by Andreas Barth
Andreas Barth <[hidden email]> writes:
> * Bob Tanner ([hidden email]) [050920 16:39]:
>> Same here.  Reach out to the community and let us help.
>
> Well, the basic problem with mirrors is:
> * How can we be sure that all mirrors are synced _very_ fast? We will
>   probably get more negative feedback if some mirrors are delayed by
>   more than 10 minutes (and some of our normal mirrors are _way_ worse).

Maybe using a http-proxy cache hierachy?  Any missing file on a mirror
will be retrieved immediately.  You'll have full control on the sync
rate by tuning the freshness of the indexes.

Using squid or some other proxy as a web frontend will also remove the
load generated by x apache threads, if that is ever a problem...


Bjørn

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Mike Gerber
In reply to this post by Andreas Barth
Andreas Barth schrieb/wrote/a écrit/escribió:
> Well, the basic problem with mirrors is:
> * How can we be sure that all mirrors are synced _very_ fast? We will
>   probably get more negative feedback if some mirrors are delayed by
>   more than 10 minutes (and some of our normal mirrors are _way_ worse).

Don't let primary mirrors pull, push the updates to them.

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Michael Stone-2
>Don't let primary mirrors pull, push the updates to them.

There's a new idea.

Please, believe that there are people working on the problem. It's a
question of getting agreements in place and logistics and timing and
other essentially non-technical issues. A long thread full of
suggestions for how to fix things which probably isn't going to be read
by the people in a position to fix things (because they're already aware
of how to do it) isn't really going to help. If people want to discuss
it for their own amusement, fine, have at it--but don't get pissed if
the thread doesn't seem to get a lot of attention.

Mike Stone


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Bernd Eckenfels
In reply to this post by Mike Gerber
In article <[hidden email]> you wrote:
> Don't let primary mirrors pull, push the updates to them.

Make the mirrors simple reverse http caches for the packages.

Gruss
Bernd


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Michel van der Klei
In reply to this post by Steinar H. Gunderson
On Tue, Sep 20, 2005 at 04:00:23PM +0200, Steinar H. Gunderson wrote:
> X-Mitch IT-MailScanner: Found to be clean
> X-MailScanner-From: bounce-debian-security=michel=[hidden email]
>
> On Tue, Sep 20, 2005 at 03:50:14PM +0200, Andreas Barth wrote:
> > s.d.o is not offline, just the full bandwith is used by people
> > downloading a security update.
>
> Do we need mirrors for security.debian.org? I would be happy to host such a
> mirror if debian-security would want it.

And so am i ......

Greetz,

Michel van der Klei
http://www.mitch-it.com


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: WTF: Debian security, ex. Linux kernel vulnerabilities

Goswin von Brederlow
In reply to this post by Andreas Barth
Andreas Barth <[hidden email]> writes:

> * Bob Tanner ([hidden email]) [050920 16:39]:
>> Same here.  Reach out to the community and let us help.
>
> Well, the basic problem with mirrors is:
> * How can we be sure that all mirrors are synced _very_ fast? We will
>   probably get more negative feedback if some mirrors are delayed by
>   more than 10 minutes (and some of our normal mirrors are _way_ worse).

Send the announcement more than 10 minutes after the mirror pulse.

> * How do we make sure that potential issues can be fixed "fast enough"?

Put the mirror and security.d.o into the sources.list. That way
apt-get fixes the usual issues itself by falling back to the root if
needed.

This also solves the unmentioned "How can I be sure the mirror is
current" issue.

> Of course, none of these questions is unsolveable, and there are
> currently discussions underway how we can do it sensible, but it's not
> as trivial as one might hope in the beginning of that discussion.
>
>
> Still, thank you very much for your offer (and I really hope that we can
> make use of the mirroring offters one day).
>
>
> Cheers,
> Andi

MfG
        Goswin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]