| tomreyn | i'm following bug 1464064, which changed status to 'fix released' today. i understand this as "future releases will default to HTTPS for all default apt archives", and, as a dependency of this, availability of all default apt repositories supporting HTTPS. that's awesome. :) | 15:55 |
|---|---|---|
| -ubottu:#ubuntu-security- Bug 1464064 in Ubuntu "Ubuntu apt repos are not available via HTTPS" [Undecided, Fix Released] https://launchpad.net/bugs/1464064 | 15:55 | |
| tomreyn | i have a questions baout this, however. so far i understood that security.ubuntu.com served as a special archive mirror in that it provides faster access to security fixes than the main archive mirrors do. now when i compare https://archive.ubuntu.com/ubuntu/dists/plucky-security/ to https://security.ubuntu.com/ubuntu/dists/plucky-security/ they seem to provide exactly the same. so i'm wondering: does security.ubuntu.com still provide | 15:58 |
| tomreyn | security updates faster than the normal archive mirrors, or are security updates now provided by normal archive mirrors at the same time? | 15:58 |
| tomreyn | (or is it something else?) | 15:59 |
| mdeslaur | I don't have any details on why that bug was closed, but I assume it's only for the main archive and the security. repo, but not for mirrors, which means it's unlikely to be https in a default install | 15:59 |
| mdeslaur | security.u.c comes preconfigured so that a mirror that has a delay in syncing doesn't prevent someone from getting important security updates | 16:00 |
| mdeslaur | security.u.c is directly hosted on canonical infrastructure | 16:00 |
| mdeslaur | in theory, a mirror that is syncing properly will get all the security updates in a timely fashion | 16:01 |
| tomreyn | security.ubuntu.com and archive.ubuntu.com resolve to the same ip addresses for me. i'm not sure whether or not this contradicts your statement "security.u.c is directly hosted on canonical infrastructure" | 16:02 |
| mdeslaur | archive.ubuntu.com is also hosted by canonical | 16:04 |
| mdeslaur | the mirrors are subdomains of that, for example ca.archive.ubuntu.com | 16:04 |
| mdeslaur | looks like ca.archive.ubuntu is a bad example :) | 16:05 |
| mdeslaur | but it.archive.ubuntu.com is an example | 16:05 |
| tomreyn | i know what you mean, though, some of the country mirrors will point to non canonical maintained mirror servers. | 16:05 |
| sdeziel | tomreyn: Last I checked `archive.ubuntu.com` was pointed at the UK primary mirror but it was also redirected to the US one (those are 2 primary mirrors I know of) a while back when the UK had issues. | 16:05 |
| sdeziel | from past experiences, `security.ubuntu.com` get fixes a tad earlier than `us.archive.ubuntu.com` does | 16:07 |
| mdeslaur | sdeziel: they both resolve to the same ips now, so that's probably not the case anymore | 16:08 |
| mdeslaur | oh wait, I read that wrong | 16:09 |
| mdeslaur | yes, it's plausible that security.u.c gets updates a bit faster | 16:09 |
| mdeslaur | hrm | 16:10 |
| sdeziel | could it be that security fixes first land in -security and then are copied to -updates? | 16:10 |
| sdeziel | as for the DNS, it seems that `security.ubuntu.com` now resolves to both set of IPs so UK/GB and US, that's probably more resilient now :) | 16:11 |
| mdeslaur | so it does look like security.u.c and archive.u.c do resolve to the same ips now | 16:11 |
| mdeslaur | in a default install, a country-specific mirror is usually configured, along with security.u.c | 16:12 |
| sdeziel | hmm, from here, `security.ubuntu.com` resolves to the superset of `gb.archive.ubuntu.com` and `us.archive.ubuntu.com` so 6 IPs total | 16:12 |
| mdeslaur | country specific mirrors may or may not be canonical hosted and the same as archive.u.c | 16:12 |
| mdeslaur | so in cases where the country specific mirror isn't canonical hosted, security.u.c is important so that security updates are obtained even if the mirror is behind in syncing | 16:13 |
| sdeziel | yep | 16:13 |
| mdeslaur | sdeziel: yeah, same here, s.u.c and a.u.c have 6 ips, 3 from us. and 3 from uk | 16:13 |
| sdeziel | I am quite happy with the change as-is, even if that may or may not be something enabled by default in the future | 16:14 |
| mdeslaur | yes, at least it's easy now to opt-in to it | 16:14 |
| mdeslaur | the mirrors were always the major issue | 16:15 |
| tomreyn | thanks for the discussion, mdeslaur and sdeziel. so i think what remains to be understood is: why was bug 1464064 marked as "fix released" when the bug is about (my, much simplified, interpretation - open to discussion) "new installations should always use apt repositories using httpS and still get fast security updates" | 17:09 |
| -ubottu:#ubuntu-security- Bug 1464064 in Ubuntu "Ubuntu apt repos are not available via HTTPS" [Undecided, Fix Released] https://launchpad.net/bugs/1464064 | 17:09 | |
| tomreyn | i guess another way to read the bug report is "apt archive mirrors us.archive.ubuntu.com and security.ubuntu.com should support HTTPS", which is a very different interpretation, and - i think - not what the original report (nor most of the contributors) seemed to intend. | 17:11 |
| tomreyn | i think the first interpretation is what is the revolution that people are seeking, and the second interpretation is maybe what the current state is. | 17:12 |
| tomreyn | (and, to explain this as well, i'm discussing this here for the potential time-to-patch security impact) | 17:13 |
| tomreyn | I just posted this to the bug report as well (spelling out potential interpretation 1 more). | 17:29 |
| mdeslaur | yeah, I think commenting in the bug is the best thing to do, thanks | 17:47 |
| oerheks | apt-transport-https is optional, and one needs ca-certificates too to make it work | 17:58 |
| tomreyn | apt-transport-https is a transitional package because this functionality (HTTPS support) has been implemented in core apt years ago. | 17:59 |
| oerheks | oh oke, the ca-certificates is the culprit? | 18:00 |
| tomreyn | i don't think ca-certificates is an issue. ca-certificates is a core package, installed by default since forever. | 18:04 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!