[08:15] hello, are there any upstream https mirrors? [08:18] apart from archive.ubuntu.com [08:30] sandbag: What do you mean by upstream? [08:31] There's a big network of country level mirrors, on the form $CC.archive.ubuntu.com an $CC.releases.ubuntu.com [08:33] Berge: like the one which is the first source of truth [08:33] are those country level mirrors mirroring anything else or not? [08:34] sandbag: Mirroring other things than Ubuntu? [08:34] Many of them would be, yes [08:35] There is a system with trigger-based updating of country level mirrors, so they're fairly up to date [08:35] Typically [08:35] …minutes or hours behind [08:36] > Many of them would be, yes. where can i find that? [08:37] Berge: no, not other things than ubuntu. what i meant is are all those mirros building from scratch or just mirroring? [08:38] sandbag: https://launchpad.net/ubuntu/+archivemirrors [08:38] i saw that, it doesn't mention which mirrors strictly use https [08:38] But it will say if a mirror is up to date [08:39] HTTPS isn't a requirement for mirror operators. Why do you want that? [08:39] because of security? [08:39] i want to mirror https only [08:39] The security of apt does not rely on transport level integrity [08:39] Packages are signed and verified [08:39] yes im aware. but i still dont want to be snooped by my ISP [08:40] why is https not a requirement? i fail to see that. it doesn't cost anythig [08:40] The ISP will be able to ascertain _that_ you're downloading something from a Ubuntu mirror, mostly [08:40] HTTPS absolutely costs something [08:40] Orders of magnitude more CPU load on the mirror, for instance [08:40] there are other things as well, it opens up the possibility of ssl striping attacks [08:40] No, it doesn't [08:41] Or, not in a way that's relevant here [08:41] Anyway, I don't know of a list of HTTPS enabled mirrors [08:41] The one I operate happens to be [08:41] But then you have to trust me instead of your ISP (-: [08:41] where does your mirror mirror from ? [08:41] sandbag: I didn't quite understand your question about building from scratch [08:41] You can easily build your own mirror from scratch [08:42] The one I operate, no.{releases,archive}.ubuntu.com, is using update triggers [08:42] yes that's a lot of work which is why i wanted mirrors who serve https without mirroring from http mirrors [08:42] It gets triggered when there are updates, and then syncs those updates from a upstream [08:42] It's immaterial where it syncs from, security wise [08:42] Berge: so ur building the whole repo? [08:42] Since you ask, it's using rsync, not HTTP [08:43] And without any encryption on the wire [08:43] sandbag: Not sure what you mean by building [08:43] It's two rsync commands [08:43] the ubuntu packages, etc from source [08:43] I'm certainly not building the packages [08:43] It's just downloading binary and source packages from a different mirror [08:44] and which mirror is that [08:44] ur understanding what im asking? [08:44] Depends a bit, but typically from the excellent people at https://www.accum.se/ [08:45] sandbag: I don't quite understand what you want to know, no [08:45] Nor why it's relevant [08:45] i wanna setup an https mirror but the mirror from which i will mirror has to mirror from https exclusively [08:45] all the way to the top [08:45] I don't think any mirror does that [08:45] All mirrors sync between themselves with rsync [08:45] where u will find a mirror which does building [08:45] HTTP would be prohibitively expensive bandwidth wise [08:46] sandbag: That _builds_ the packages? [08:46] That's not a mirror's task [08:46] Canonical operates build farms that builds binary packages [08:46] so where do u get those packages from? [08:46] As I said, a different mirror [08:47] man i know that. im talking about at top [08:47] Again, the security of apt packages does _not_ rely on transport level mechanisms, such as HTTPS [08:47] some mirror will eventually have to take thos packages from directly canonical [08:47] Packages are signed with a completely different system [08:47] sandbag: yes [08:47] so how does canonical gives it [08:47] to those few mirrors [08:47] rsync [08:47] is it https [08:47] No, it's rsync [08:47] is there doc for that? [08:47] For the program rsync? [08:48] no for distribution of canonical via rsync [08:49] I don't, no [08:49] It's a trivial thing [08:49] can i create the infrastructure for building those packages and not take from canonical [08:50] I don't understand the question [08:50] Do you want to build the packages from scratch, and not download the binary packages from a mirror? [08:50] yes. i dont wanna mirror another mirror [08:51] But you have to download the source packages from a mirror anyway [08:51] because there arent any upstream https mirror [08:51] Why do you want that? [08:51] because https + pgp is better than just pgp [08:51] That is not how the security model works [08:52] defense in depth? [08:52] https://archive.ubuntu.com/ is probably the closes you can come to that [08:52] does it mirror from anywhere else? [08:53] I don't know how it works internally [08:53] it would be honestly better to have a column in mirror list to see who mirrors whom [08:53] That's completely irrelevant [08:53] And changes [08:53] why? [08:53] what if someone wants to know the true source [08:53] Planned and unplanned maintenance, for instanc [08:54] I'll move the DNS pointers for the mirror we operate here when it's undergoing maintenance [08:56] sandbag: I don't think I have more to add here [08:57] The security model for package integrity is not based on transport level security in any way, and thus mirror operations behind the scenes optimise for things like bandwidth and CPU [08:58] This is what allows randoms (like me) to operate Ubuntu mirrors, without Canonical having to rely on my integrity, or the integrity of the server, its physical security, my security practices, and so on [09:09] ok [09:10] the project/trace directory will tell you the mirror hierarchy [09:11] but again, it is all over rsync and not http/https anyhow [09:11] and the main reason why cctld.archive.ubuntu.com doesn't use https is that it'll get repointed to other mirrors as needed so that it'll always work [09:17] They left [09:18] ah yeah they left [09:18] strange question [09:18] there is no source mirror, Canonical archive servers are the source... [09:19] I can understand the desire to not be snooped on by their ISP, but then I don't really get what they were aiming for here [09:20] Their ISP will trivially see that you're downloading packages from an Ubuntu mirror anyway, in most cases [09:21] indeed [09:22] and they can still deep inspect / check for sizes to determine the package [09:22] makes it more difficult though [09:22] we enabled HTTPS on our archive servers because well... it's 2024 :) [09:23] kotodama: we have https on our mirror, but not for the cctld stuff since that'll break when it gets repointed. same for debian [09:24] heh indeed [10:03] I think interest in https for apt archives grew after that CVE where apt would process http response headers badly, leading to remote code execution or something like that? [10:04] suddenly all the "why care about mitm, the release file is validated via gpg" responses seemed quieter [10:09] It's a thin layer of extra security, though [10:09] You'd have to trust the randoms operating the mirrors [10:22] Currently the CPU requirements to mirror a lot of stuff (we mirror ~90 projects on our mirror server) are fairly minor, if we had to build all that stuff, that would increase many many times. We would probably have to consider cutting back on the number of projects we mirror [10:23] _Building_ the packages would be absolutely unreasonable [10:23] And without reproducible builds, it'd be actively harmful to security [11:29] wait don't all the cctld mirror operators not sync direct from canonical "CDN" anyway? [11:35] asomerset: no, there are tiers [11:36] Our mirror (no.[ar].u.c) has excellent connectivity to maswan's crowd's mirror [11:36] UBUARC_MIRROR=archive.ubuntu.com::ubuntu/ [11:36] i seem to be drinking the koolaid straight from the fountain [11:37] for most of Africa [11:38] Firehose fountain [11:38] asomerset: You run an Africa mirror? [11:38] African, even [11:53] yep its officially in Kenya, but serves most of East and Southern Africa [11:54] cool [11:55] What bandwidth speeds to you get to a.u.c while syncing? [11:56] its hard to tell exactly given the otherstuff we are mirroring and potential overlaps i'd be guessing we sustain 100-200mbps [11:56] we have peaks of 500mbps and sometimes even 1gbps on download [11:57] we cruise at 1-1.5gbps serving throughout the day with peaks at 2gbps [11:59] if you feel like being nosy - https://stats.mirror.liquidtelecom.net/ [12:00] i am sad that releases and cdimages doesn't push more traffic [12:06] yeah, it's on decline in general [12:07] awstats is a blast from the past (-: [12:21] We use analog :) === amurray_ is now known as amurray [21:48] wow, 2.17 GB on 404s alone https://stats.mirror.liquidtelecom.net/cgi-bin/awstats.pl?config=ubuntu-archive.mirror.liquidtelecom.com [21:54] 33.2 % of accessing browsers used the "CloudFlare" user agent [21:55] i wonder why that would be desirable - wouldn't you want it to be all or nothing?