Re: Possibly moving Debian services to a CDN
]] Craig Small > On Thu, Jan 30, 2014 at 01:53:55PM +0100, Tollef Fog Heen wrote: > > I thought it's time for a small update about this. As of about an hour > > ago, planet and metadata.ftp-master are now served from the Fastly CDN, > > and it all seems to be working quite smoothly. > https://planet.debian.org/ gives a big scary certificate warning. Well, yes. We didn't have HTTPS before and we don't have it now either. One reason to not have it is that you'd have a ton of «insecure third party resource» warnings. Ganneff said he'd take a look at having Planet download those resources locally when he has some free time. Until then, planet is HTTP-only as before. (We want to do this anyway to avoid leaking information about people who read planet to those running the hosting for various blogs.) > Interesting way they've stapled all the names together on the > certificate too. > > I didn't know you could do that, but, you might like to tell them to > fix that certificate. There's not really anything to be fixed, since you shouldn't be using HTTPS for that host yet. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878utw8zks@xoog.err.no
Re: Possibly moving Debian services to a CDN
On Thu, Jan 30, 2014 at 01:53:55PM +0100, Tollef Fog Heen wrote: > I thought it's time for a small update about this. As of about an hour > ago, planet and metadata.ftp-master are now served from the Fastly CDN, > and it all seems to be working quite smoothly. https://planet.debian.org/ gives a big scary certificate warning. Interesting way they've stapled all the names together on the certificate too. I didn't know you could do that, but, you might like to tell them to fix that certificate. - Craig -- Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au Debian GNU/Linux http://www.debian.org/ csmall at : debian.org GPG fingerprint:5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5 -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140131002009.gb5...@enc.com.au
Re: Possibly moving Debian services to a CDN
Tollef Fog Heen writes ("Re: Possibly moving Debian services to a CDN"): > As for the privacy concerns raised in the thread, I've had quite a lot > of discussions with Fastly about how they operate wrt privacy. They > don't store request-related logs (only billing information), so there > are no URLs, cookie, client IPs or similar being stored. Varnish has an > ephemeral log which they go through a couple of times a minute where > some of that information is present, but it never leaves the host > (unless we enable logging to an endpoint we control). I'm quite content > with how they're handling the privacy concerns. Thanks for looking into that. I know that not everyone shares these worries but I do and I really appreciate you taking them serious. Your comments are reassuring and, speaking personally, I'm satisfied. > In the interest of full disclosure I should also mention that I'm > starting to work for Fastly in a few days time. I don't believe that > has influenced my views or judgements here. You are of course right to mention this. Personally I find it increases rather than reduces my confidence in the assurances earlier in your message, and in the situation in general. Thank you. Regards, Ian. -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/21226.28765.549741.548...@chiark.greenend.org.uk
Re: Possibly moving Debian services to a CDN
]] Tollef Fog Heen Hi all, > - the various bits and bobs that are currently hosted on > static.debian.org I thought it's time for a small update about this. As of about an hour ago, planet and metadata.ftp-master are now served from the Fastly CDN, and it all seems to be working quite smoothly. We've uncovered some bits we want to make work better, such as adding and removing backend servers automatically when they become unavailable or are added to the static DNS RR, purging content from the caches when it's updated and possibly some other minor bits. This does sadly mean we don't currently have IPv6 for those two services, something that's being worked on by Fastly. As for the privacy concerns raised in the thread, I've had quite a lot of discussions with Fastly about how they operate wrt privacy. They don't store request-related logs (only billing information), so there are no URLs, cookie, client IPs or similar being stored. Varnish has an ephemeral log which they go through a couple of times a minute where some of that information is present, but it never leaves the host (unless we enable logging to an endpoint we control). I'm quite content with how they're handling the privacy concerns. In the interest of full disclosure I should also mention that I'm starting to work for Fastly in a few days time. I don't believe that has influenced my views or judgements here. Cheers, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877g9h1vh8@qurzaw.varnish-software.com