| hallyn | aw man the livestream talks sounded horribly interesting. i had to go and sleep like a dullard | 12:48 |
|---|---|---|
| sarnold | hallyn: yeah, I only watched part of lamport's presentation, I liked it.. bummer about the usual au-rest-of-world-timing :) | 18:07 |
| hallyn | they should do a US-tz replay :) (assuming they don't want recordings to be forever available) | 18:09 |
| sarnold | yeah, ideally they'd throw them on youtube, but .. I can kinda see why they might want to own them | 18:19 |
| Madars | how could one get https for security.ubuntu.com (like Debian has done for a while now)? it would be very nice as a defense-in-depth against bugs in apt (like https://www.debian.org/security/2016/dsa-3733 https://www.debian.org/security/2019/dsa-4371 both had HTTP MITM -> instant root) | 18:32 |
| sarnold | oh hey madars :) | 18:35 |
| Madars | hello sarnold ! :) | 18:36 |
| sarnold | adding https to the archives has been on the todo list for a while, I'm not sure what progress has been made or where that is so far.. the security server may or may not be part of those plans, I'll double-check | 18:37 |
| Madars | I recently looked at https://launchpad.net/ubuntu/+archivemirrors and was pleased to see that there are https mirrors in every geography now | 18:38 |
| Madars | except for the ubuntu-security pocket haha | 18:39 |
| mdeslaur | I wouldn't hold my breath, we'd have to get rid of the mirrors to be able to properly enable https | 18:39 |
| mdeslaur | I suggest you pick one from that list and use it directly | 18:40 |
| sarnold | mdeslaur: I think jsing had found a way to make it happen | 18:40 |
| sarnold | not holding your breath is a good ide athough | 18:40 |
| mdeslaur | oh? | 18:40 |
| sarnold | top tip :) | 18:40 |
| sarnold | yeah, but sadly it was hidden in a google doc | 18:41 |
| Madars | mdeslaur: hmm, why get rid of mirrors? I think Debian still has http-only mirrors, yet people who want HTTPS can enable those (e.g. Crostini in ChromeOS uses https://cdn-fastly.deb.debian.org/ for all pockets) | 18:41 |
| mdeslaur | Madars: because we'd have to hand out ssl certs to all of them? | 18:42 |
| Madars | ohhh, that's assuming you want them to keep https://security.ubuntu.com name (which the above deb.debian.org mirrors don't) | 18:42 |
| cipherboy | mdeslaur: If they already have the http namespaces, wouldn't they be able to claim a LE cert for that name via the wellknown/http dir challenge type? | 18:43 |
| cipherboy | mdeslaur: https://letsencrypt.org/docs/challenge-types/ -- see HTTP-01 challenge type. | 18:43 |
| mdeslaur | I don't know, I don't know how all of that magic works | 18:43 |
| mdeslaur | cipherboy: how would that enable them to get a cert for "archive.ubuntu.com"? | 18:44 |
| mdeslaur | we currently round-robin the mirrors under our own domain name | 18:44 |
| sarnold | I think the provided mirrors are only on country-specific names, eg de.archive.ubuntu.com | 18:45 |
| mdeslaur | yes, but multiple mirrors per country | 18:45 |
| sarnold | yeah | 18:45 |
| cipherboy | mdeslaur: Ah I thought it was down a domain (e.g., osuosl.mirrors.ubuntu.com) | 18:45 |
| mdeslaur | no | 18:45 |
| cipherboy | mdeslaur: sarnold: You could set up RR via 302 redirect and then assign them subdomains. But otherwise, yeah, you'd need to hand out certs. :/ | 18:46 |
| mdeslaur | oh, hrm, apt apparently supports SRV records now | 18:48 |
| Madars | whoops, I think there are two different issues: a) having _a_ ubuntu-security pocket HTTPS mirror (even if that uses a different name, e.g. https://cdn-fastly.security.ubuntu.com/ubuntu-security ) for users who desire one; this is what Debian does ; b) having every security.ubuntu.com mirror be HTTPS and have it as default | 18:49 |
| Madars | I'm not aware of any practical way to do (b) without giving security.ubuntu.com cert to too many actors, however having something for (a) would be pretty cool :) | 18:52 |
| sarnold | security.ubuntu.com is only hosted in-house, no contributed stuff there; I don't know if those machines would be up for that kind of load though | 18:53 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!