/srv/irclogs.ubuntu.com/2025/01/28/#ubuntu-mirrors.txt

sandbaghello, are there any upstream https mirrors?08:15
sandbagapart from archive.ubuntu.com08:18
Bergesandbag: What do you mean by upstream?08:30
BergeThere's a big network of country level mirrors, on the form $CC.archive.ubuntu.com an $CC.releases.ubuntu.com08:31
sandbagBerge: like the one which is the first source of truth08:33
sandbagare those country level mirrors mirroring anything else or not?08:33
Bergesandbag: Mirroring other things than Ubuntu?08:34
BergeMany of them would be, yes08:34
BergeThere is a system with trigger-based updating of country level mirrors, so they're fairly up to date08:35
BergeTypically 08:35
Berge…minutes or hours behind08:35
sandbag> Many of them would be, yes. where can i find that?08:36
sandbagBerge: no, not other things than ubuntu. what i meant is are all those mirros building from scratch or just mirroring?08:37
Bergesandbag: https://launchpad.net/ubuntu/+archivemirrors08:38
sandbagi saw that, it doesn't mention which mirrors strictly use https08:38
BergeBut it will say if a mirror is up to date08:38
BergeHTTPS isn't a requirement for mirror operators. Why do you want that?08:39
sandbagbecause of security?08:39
sandbagi want to mirror https only08:39
BergeThe security of apt does not rely on transport level integrity08:39
BergePackages are signed and verified08:39
sandbagyes im aware. but i still dont want to be snooped by my ISP 08:39
sandbagwhy is https not a requirement? i fail to see that. it doesn't cost anythig08:40
BergeThe ISP will be able to ascertain _that_ you're downloading something from a Ubuntu mirror, mostly08:40
BergeHTTPS absolutely costs something08:40
BergeOrders of magnitude more CPU load on the mirror, for instance08:40
sandbagthere are other things as well, it opens up the possibility of ssl striping attacks08:40
BergeNo, it doesn't08:40
BergeOr, not in a way that's relevant here08:41
BergeAnyway, I don't know of a list of HTTPS enabled mirrors08:41
BergeThe one I operate happens to be08:41
BergeBut then you have to trust me instead of your ISP (-:08:41
sandbagwhere does your mirror mirror from ?08:41
Bergesandbag: I didn't quite understand your question about building from scratch08:41
BergeYou can easily build your own mirror from scratch08:41
BergeThe one I operate, no.{releases,archive}.ubuntu.com, is using update triggers08:42
sandbagyes that's a lot of work which is why i wanted mirrors who serve https without mirroring from http mirrors08:42
BergeIt gets triggered when there are updates, and then syncs those updates from a upstream08:42
BergeIt's immaterial where it syncs from, security wise08:42
sandbagBerge: so ur building the whole repo?08:42
BergeSince you ask, it's using rsync, not HTTP08:42
BergeAnd without any encryption on the wire08:43
Bergesandbag: Not sure what you mean by building08:43
BergeIt's two rsync commands08:43
sandbagthe ubuntu packages, etc from source08:43
BergeI'm certainly not building the packages08:43
BergeIt's just downloading binary and source packages from a different mirror08:43
sandbagand which mirror is that08:44
sandbagur understanding what im asking?08:44
BergeDepends a bit, but typically from the excellent people at https://www.accum.se/08:44
Bergesandbag: I don't quite understand what you want to know, no08:45
BergeNor why it's relevant08:45
sandbagi wanna setup an https mirror but the mirror from which i will mirror has to mirror from https exclusively08:45
sandbagall the way to the top08:45
BergeI don't think any mirror does that08:45
BergeAll mirrors sync between themselves with rsync08:45
sandbagwhere u will find a mirror which does building08:45
BergeHTTP would be prohibitively expensive bandwidth wise08:45
Bergesandbag: That _builds_ the packages?08:46
BergeThat's not a mirror's task08:46
BergeCanonical operates build farms that builds binary packages08:46
sandbagso where do u get those packages from?08:46
BergeAs I said, a different mirror08:46
sandbagman i know that. im talking about at top08:47
BergeAgain, the security of apt packages does _not_ rely on transport level mechanisms, such as HTTPS08:47
sandbagsome mirror will eventually have to take thos packages from directly canonical08:47
BergePackages are signed with a completely different system08:47
Bergesandbag: yes08:47
sandbagso how does canonical gives it08:47
sandbagto those few mirrors08:47
Bergersync08:47
sandbagis it https08:47
BergeNo, it's rsync08:47
sandbagis there doc for that?08:47
BergeFor the program rsync?08:47
sandbagno for distribution of canonical via rsync08:48
BergeI don't, no08:49
BergeIt's a trivial thing08:49
sandbagcan i create the infrastructure for building those packages and not take from canonical08:49
BergeI don't understand the question08:50
BergeDo you want to build the packages from scratch, and not download the binary packages from a mirror?08:50
sandbagyes. i dont wanna mirror another mirror08:50
BergeBut you have to download the source packages from a mirror anyway08:51
sandbagbecause there arent any upstream https mirror08:51
BergeWhy do you want that?08:51
sandbagbecause https + pgp is better than just pgp08:51
BergeThat is not how the security model works08:51
sandbagdefense in depth?08:52
Bergehttps://archive.ubuntu.com/ is probably the closes you can come to that08:52
sandbagdoes it mirror from anywhere else?08:52
BergeI don't know how it works internally08:53
sandbagit would be honestly better to have a column in mirror list to see who mirrors whom08:53
BergeThat's completely irrelevant08:53
BergeAnd changes08:53
sandbagwhy?08:53
sandbagwhat if someone wants to know the true source08:53
BergePlanned and unplanned maintenance, for instanc08:53
BergeI'll move the DNS pointers for the mirror we operate here when it's undergoing maintenance08:54
Bergesandbag: I don't think I have more to add here08:56
BergeThe security model for package integrity is not based on transport level security in any way, and thus mirror operations behind the scenes optimise for things like bandwidth and CPU08:57
BergeThis is what allows randoms (like me) to operate Ubuntu mirrors, without Canonical having to rely on my integrity, or the integrity of the server, its physical security, my security practices, and so on08:58
sandbagok09:09
maswanthe project/trace directory will tell you the mirror hierarchy09:10
maswanbut again, it is all over rsync and not http/https anyhow09:11
maswanand the main reason why cctld.archive.ubuntu.com doesn't use https is that it'll get repointed to other mirrors as needed so that it'll always work09:11
BergeThey left09:17
kotodamaah yeah they left09:18
kotodamastrange question09:18
kotodamathere is no source mirror, Canonical archive servers are the source...09:18
kotodamaI can understand the desire to not be snooped on by their ISP, but then I don't really get what they were aiming for here09:19
BergeTheir ISP will trivially see that you're downloading packages from an Ubuntu mirror anyway, in most cases09:20
kotodamaindeed09:21
kotodamaand they can still deep inspect / check for sizes to determine the package09:22
kotodamamakes it more difficult though09:22
kotodamawe enabled HTTPS on our archive servers because well... it's 2024 :)09:22
maswankotodama: we have https on our mirror, but not for the cctld stuff since that'll break when it gets repointed. same for debian09:23
kotodamaheh indeed09:24
mgedminI think interest in https for apt archives grew after that CVE where apt would process http response headers badly, leading to remote code execution or something like that?10:03
mgedminsuddenly all the "why care about mitm, the release file is validated via gpg" responses seemed quieter10:04
BergeIt's a thin layer of extra security, though10:09
BergeYou'd have to trust the randoms operating the mirrors10:09
groveCurrently the CPU requirements to mirror a lot of stuff (we mirror ~90 projects on our mirror server) are fairly minor, if we had to build all that stuff, that would increase many many times. We would probably have to consider cutting back on the number of projects we mirror10:22
Berge_Building_ the packages would be absolutely unreasonable10:23
BergeAnd without reproducible builds, it'd be actively harmful to security10:23
asomersetwait don't all the cctld mirror operators not sync direct from canonical "CDN" anyway?11:29
Bergeasomerset: no, there are tiers11:35
BergeOur mirror (no.[ar].u.c) has excellent connectivity to maswan's crowd's mirror11:36
asomersetUBUARC_MIRROR=archive.ubuntu.com::ubuntu/11:36
asomerseti seem to be drinking the koolaid straight from the fountain11:36
asomersetfor most of Africa11:37
BergeFirehose fountain11:38
Bergeasomerset: You run an Africa mirror?11:38
BergeAfrican, even11:38
asomersetyep its officially in Kenya, but serves most of East and Southern Africa11:53
Bergecool11:54
BergeWhat bandwidth speeds to you get to a.u.c while syncing?11:55
asomersetits hard to tell exactly given the otherstuff we are mirroring and potential overlaps i'd be guessing we sustain 100-200mbps11:56
asomersetwe have peaks of 500mbps and sometimes even 1gbps on download11:56
asomersetwe cruise at 1-1.5gbps serving throughout the day with peaks at 2gbps11:57
asomersetif you feel like being nosy - https://stats.mirror.liquidtelecom.net/11:59
asomerseti am sad that releases and cdimages doesn't push more traffic12:00
Bergeyeah, it's on decline in general12:06
Bergeawstats is a blast from the past (-:12:07
maswanWe use analog :)12:21
=== amurray_ is now known as amurray
sarnoldwow, 2.17 GB on 404s alone https://stats.mirror.liquidtelecom.net/cgi-bin/awstats.pl?config=ubuntu-archive.mirror.liquidtelecom.com21:48
tomreyn33.2 % of accessing browsers used the "CloudFlare" user agent21:54
tomreyni wonder why that would be desirable - wouldn't you want it to be all or nothing?21:55

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!