Re: [SECURITY] [DSA 3547-1] imagemagick security update
On Tue, Apr 12, 2016, at 14:32, Peter Palfrader wrote:
> On Tue, 12 Apr 2016, Henrique de Moraes Holschuh wrote:
> > On Tue, Apr 12, 2016, at 14:06, Adam D. Barratt wrote:
> > > Judging from your e-mail address, I'm going to assume that the answer is
> > > that security.debian.org resolved to 150.203.164.61.
> > >
> > > Apparently there was an issue with syncing to that mirror. The sysadmin
> > > team have triggered a manual sync, so things should be up-to-date now.
> >
> > Other (leaf ?) .au mirrors also seem to be stale:
> > mirror.aarnet.edu.au, mirror.cse.unsw.edu.au
> >
> > Either those mirrors are not refreshing at an acceptable rate for
> > something that carries /debian-security, or we have a wider issue than a
> > single .au mirror missing a push.
> >
> > We don't have leaf (non-push) mirrors in the geo-ip list for
> > security.debian.org, do we?
>
> We don't support 3rd party security mirrors. In fact, we actively
> discourage them. Don't use them.
We list several mirrors carrying debian security updates in
https://www.debian.org/mirror/list-full, but only some of them are
members of the security.debian.org pool, and not every member of the
security.debian.org mirror pool is present in that list either. The
australian mirror that was stale doesn't appear to be, for example.
We don't disclose which mirrors are members of the security.debian.org
pool anywhere (that I could find), so we are currently hiding everything
behind security.debian.org. This wasn't a problem when a DNS lookup for
security.debian.org would return a RR-SET with several A and AAAA
records, but geo-ip changed that to return a single A record. When
geo-ip points security.debian.org to a broken or stale mirror for
someone, it is a pain to work around it for the duration.
And if you need to access security.debian.org over IPv6, "too bad".
This clearly is suboptimal. So, please excuse me if I don't agree that
we actively discourage 3rd party public security mirrors, IMHO we do it
half-heartedly. And I don't think this is bad either, since it looks
like we don't do that well at providing alternate access to the security
archive either.
Alternate access URIs for several of the security.debian.org pool
members *do* exist, but that information seems not to be clearly
displayed anywhere.
A good starting point would be to provide a list of official security
mirrors (potential members of the security.debian.org pool) that can be
accessed directly when geo-ip is directing an user to a pool member that
is stale. This does mean such mirrors need to expose the security
archive outside of the security.debian.org named vhost, of course.
/debian-security seems to be the preferred pattern, and at least one
push-primary mirror that is a member of the security.debian.org pool
does it that way.
And if that list of official security mirrors that can be accessed
through alternate URIs does exist, I couldn't find it. IMHO that
information needs to be somewhere in
https://www.debian.org/mirror/official, along with whatever strong
recommendations we want to make about it.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique de Moraes Holschuh <hmh@debian.org>
Reply to: