Hi Julien, On Sat, Nov 10, 2018 at 03:59:36PM +0100, Julien Cristau wrote: > Hi, > > At the moment, most debian.org hosts accept incoming ssh connections from the > entire Internet. In the future, DSA intends to change this and, by default, > only accept ssh connections from other debian.org machines. > > The following classes of hosts will continue to accept ssh from everywhere: > > - upload hosts > - master and people.debian.org > - salsa.debian.org > - dedicated ssh jumphosts {na,eu}.ssh.debian.org > - porter boxes (maybe). > > These changes will come into effect no sooner than mid December. The > following > snippet in ~/.ssh/config configures OpenSSH to use a jumphost for all > debian.org hosts other than the jumphosts. > > Host *.debian.org !*.ssh.debian.org !ssh.debian.org > ProxyJump ssh.debian.org > # (or {na,eu}.ssh.debian.org) > > Our documentation at https://dsa.debian.org/doc/firewall/ will also be > updated.
I support this, but it would make uploading video content from debconf to vittoria.d.o rather complicated and slow (we do rsync-over-SSH to backup the raw recordings after debconf, which for a full debconf usually racks up to about a terabyte; doing that via a jumphost seems like a bad idea). Can an exception be made for vittoria? If not, can this be done on a case-by-case basis for the events where we would like to upload something from? This would also include miniconfs etc. Thanks, -- To the thief who stole my anti-depressants: I hope you're happy -- seen somewhere on the Internet on a photo of a billboard