On Tue, Apr 12, 2016, at 14:32, Peter Palfrader wrote: > On Tue, 12 Apr 2016, Henrique de Moraes Holschuh wrote: > > On Tue, Apr 12, 2016, at 14:06, Adam D. Barratt wrote: > > > Judging from your e-mail address, I'm going to assume that the answer is > > > that security.debian.org resolved to 150.203.164.61. > > > > > > Apparently there was an issue with syncing to that mirror. The sysadmin > > > team have triggered a manual sync, so things should be up-to-date now. > > > > Other (leaf ?) .au mirrors also seem to be stale: > > mirror.aarnet.edu.au, mirror.cse.unsw.edu.au > > > > Either those mirrors are not refreshing at an acceptable rate for > > something that carries /debian-security, or we have a wider issue than a > > single .au mirror missing a push. > > > > We don't have leaf (non-push) mirrors in the geo-ip list for > > security.debian.org, do we? > > We don't support 3rd party security mirrors. In fact, we actively > discourage them. Don't use them.
We list several mirrors carrying debian security updates in https://www.debian.org/mirror/list-full, but only some of them are members of the security.debian.org pool, and not every member of the security.debian.org mirror pool is present in that list either. The australian mirror that was stale doesn't appear to be, for example. We don't disclose which mirrors are members of the security.debian.org pool anywhere (that I could find), so we are currently hiding everything behind security.debian.org. This wasn't a problem when a DNS lookup for security.debian.org would return a RR-SET with several A and AAAA records, but geo-ip changed that to return a single A record. When geo-ip points security.debian.org to a broken or stale mirror for someone, it is a pain to work around it for the duration. And if you need to access security.debian.org over IPv6, "too bad". This clearly is suboptimal. So, please excuse me if I don't agree that we actively discourage 3rd party public security mirrors, IMHO we do it half-heartedly. And I don't think this is bad either, since it looks like we don't do that well at providing alternate access to the security archive either. Alternate access URIs for several of the security.debian.org pool members *do* exist, but that information seems not to be clearly displayed anywhere. A good starting point would be to provide a list of official security mirrors (potential members of the security.debian.org pool) that can be accessed directly when geo-ip is directing an user to a pool member that is stale. This does mean such mirrors need to expose the security archive outside of the security.debian.org named vhost, of course. /debian-security seems to be the preferred pattern, and at least one push-primary mirror that is a member of the security.debian.org pool does it that way. And if that list of official security mirrors that can be accessed through alternate URIs does exist, I couldn't find it. IMHO that information needs to be somewhere in https://www.debian.org/mirror/official, along with whatever strong recommendations we want to make about it. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique de Moraes Holschuh <h...@debian.org>