Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-03-02 23:09:28, schrieb Florian Weimer:

> I typically use an Exim .forward file which invokes a special script
> using "pipe".  The script creates a file, and a cron job which runs
> periodically checks for the existence of that file and performs the
> desired action when it exists.  This means that DSA sent in quick
> succession only trigger the action once.

With no security problems enablichn Mailservices on all machines in
the network?  I have installed fetchmail, procmail and my script on my
local mirror which update my local mirror from which I am installing.

In the same time it saves bandwidth.

Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-03-02 20:06:48, schrieb Florian Weimer:

> You can use the DSA posting as a trigger.

This is, what I allready do...

My local mirror check the mailbox all 5 minutes and if a security
update comes in it download immediatly...

Currently I am writing a new script which will do this with

<[EMAIL PROTECTED]>

which let me download and update my mirror faster without bothering
the Debian server.  The Packages.gz are generated localy.  Once a
week I run a check, which download the original Packages.gz and
Sources.gz to check, whether I have all packages or not...
Sometimes E-Mails are lost between Debian and my Mailbox

Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* Michelle Konzack:

> 1)  Download Packages.gz/Sources.gz and check for changes

I think you should look at the Release file first, at least if you
don't use If-Modified-Since or similar conditional requests.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.28.1824 +0100]:
> I can not use rsync because I have a different directory structure AND
> I do not want to kill one of the security mirrors of debian, fow often
> should I poll the Packages.gz/Sources.gz for changes daily?

Once.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
military justice is to justice what military music is to music.
   -- groucho marx


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-02-27 15:31:20, schrieb martin f krafft:
> also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.25.2036 +0100]:
> > debian-security is allready mirrored by some servers including
> > 
> > 
> 
> You are not really supposed to use those as they are pulled once
> daily only, and security is a time-critical domain where sometimes
> it's very important to have updates without any delays.

Right and some Servers hosting /debian-security/ are some days behind.

I can not use rsync because I have a different directory structure AND
I do not want to kill one of the security mirrors of debian, fow often
should I poll the Packages.gz/Sources.gz for changes daily?

Please note, that my own update script does:

1)  Download Packages.gz/Sources.gz and check for changes
2)  Create list of files to download
3)  Download the stuff
4)  Delete old packages localy
5)  create new Packages.gz/Sources.gz

I have encountered this works faster and more effectiv then using rsync.

Currently I poll  only once a day.

Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Moritz Muehlenhoff]

Florian Weimer wrote:
>> Usually, cron-apt has already noticed that there is an update
>> available before the DSA posting comes in.
>
> This is by design; the DSA is delayed until the archive has been
> updated properly (which means that it has arrived at all mirrors).

That's because the included md5sums are generated from the files in the
archive.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Tomasz Papszun]

On Mon, 06 Mar 2006 at 10:49:45 +, paddy wrote:
> On Fri, Mar 03, 2006 at 04:55:23PM +0100, Javier Fernández-Sanguino Pe?a 
> wrote:
> > 
> > I don't believe it does. Cron-apt is a pull mechanism (download the
> > latest packages, check if there are upgrades and notify the admin). 
> > A mail filter which parses the DSAs and tells people to update is a push
> > mechanism. 
> > 
> > Notice that in the later (push) you could have somebody review if the
> > update is critical enough, or only tell systems to upgrade once the patch
> > has been tested internally. That seems easier to me than, in the pull 
> > system,
> > set up an intermediate mirror of security.debian.org with *approved* 
> > updates,
> > have the systems update automatically and have a sysadmin move the updates
> > from the official mirror over to that internal mirror based on whether the
> > update is critical or not.
> > 
> > Also, in my mind's view, a push mechanism is bound to be more effective than
> > probing the security mirror daily and could also be capable of narrowing the
> > time between patch release and installation (if automated) since you don't
> > have to wait for a given point in time to make the check.
> 
> Perhaps freshclam's dns based mechanism may also be of interest as a point 
> of comparison ? (I'm sorry I'm not able to describe it in detail off the top
> of my head, but the paralell seems obvious)
> 

In case it's of any help, there's some documentation on how ClamAV
mirrors are set - at  http://www.clamav.net/doc/mirrors/ .

HTH
-- 
 Tomasz PapszunSysAdm @ TP S.A. Lodz, Poland| And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[paddy]

On Fri, Mar 03, 2006 at 04:55:23PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Fri, Mar 03, 2006 at 11:13:52AM +0100, Marc Haber wrote:
> > On Fri, Mar 03, 2006 at 11:11:30AM +0100, Rolf Kutz wrote:
> > > You can trigger the update via ssh or wget.
> > 
> > The entire scheme strikes me as reinventing a mechanism which has been
> > existing for years now, being called cron-apt.
> 
> I don't believe it does. Cron-apt is a pull mechanism (download the
> latest packages, check if there are upgrades and notify the admin). 
> A mail filter which parses the DSAs and tells people to update is a push
> mechanism. 
> 
> Notice that in the later (push) you could have somebody review if the
> update is critical enough, or only tell systems to upgrade once the patch
> has been tested internally. That seems easier to me than, in the pull system,
> set up an intermediate mirror of security.debian.org with *approved* updates,
> have the systems update automatically and have a sysadmin move the updates
> from the official mirror over to that internal mirror based on whether the
> update is critical or not.
> 
> Also, in my mind's view, a push mechanism is bound to be more effective than
> probing the security mirror daily and could also be capable of narrowing the
> time between patch release and installation (if automated) since you don't
> have to wait for a given point in time to make the check.

Perhaps freshclam's dns based mechanism may also be of interest as a point 
of comparison ? (I'm sorry I'm not able to describe it in detail off the top
of my head, but the paralell seems obvious)

Regards,
Paddy
-- 
Perl 6 will give you the big knob. -- Larry Wall


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Javier Fernández-Sanguino Peña]

On Fri, Mar 03, 2006 at 11:13:52AM +0100, Marc Haber wrote:
> On Fri, Mar 03, 2006 at 11:11:30AM +0100, Rolf Kutz wrote:
> > You can trigger the update via ssh or wget.
> 
> The entire scheme strikes me as reinventing a mechanism which has been
> existing for years now, being called cron-apt.

I don't believe it does. Cron-apt is a pull mechanism (download the
latest packages, check if there are upgrades and notify the admin). 
A mail filter which parses the DSAs and tells people to update is a push
mechanism. 

Notice that in the later (push) you could have somebody review if the
update is critical enough, or only tell systems to upgrade once the patch
has been tested internally. That seems easier to me than, in the pull system,
set up an intermediate mirror of security.debian.org with *approved* updates,
have the systems update automatically and have a sysadmin move the updates
from the official mirror over to that internal mirror based on whether the
update is critical or not.

Also, in my mind's view, a push mechanism is bound to be more effective than
probing the security mirror daily and could also be capable of narrowing the
time between patch release and installation (if automated) since you don't
have to wait for a given point in time to make the check.

Florian, in any case, I see no mentioning of where those scripts being
available. Are they?

Regards

Javier


signature.asc
Description: Digital signature

Re: first A record of security.debian.org extremely slow

[Marc Haber]

On Fri, Mar 03, 2006 at 11:11:30AM +0100, Rolf Kutz wrote:
> You can trigger the update via ssh or wget.

The entire scheme strikes me as reinventing a mechanism which has been
existing for years now, being called cron-apt.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Rolf Kutz]

* Quoting Marc Haber ([EMAIL PROTECTED]):

> On Thu, Mar 02, 2006 at 11:09:28PM +0100, Florian Weimer wrote:
> > 
> > I typically use an Exim .forward file which invokes a special script
> > using "pipe".  The script creates a file, and a cron job which runs
> > periodically checks for the existence of that file and performs the
> > desired action when it exists.  This means that DSA sent in quick
> > succession only trigger the action once.
> 
> So you have debian-security subscribed on all systems, and all systems
> need to run a publicly reachable mail system?

You can trigger the update via ssh or wget.

- Rolf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Marc Haber]

On Thu, Mar 02, 2006 at 11:09:28PM +0100, Florian Weimer wrote:
> * Marc Haber:
> > How would you implement the automatism to trigger the update on the
> > incoming e-mail?
> 
> I typically use an Exim .forward file which invokes a special script
> using "pipe".  The script creates a file, and a cron job which runs
> periodically checks for the existence of that file and performs the
> desired action when it exists.  This means that DSA sent in quick
> succession only trigger the action once.

So you have debian-security subscribed on all systems, and all systems
need to run a publicly reachable mail system?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Steve Kemp]

On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote:

> How would you implement the automatism to trigger the update on the
> incoming e-mail?

  procmail, matching on new mails to the debian-security-announce
 mailing list ..

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Horst Pflugstaedt]

On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote:
> On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote:
> > * Geoff Crompton:
> > > I'm also wondering if security.debian.org has enough resources for every
> > > single debian box on the planet checking it every X minutes.
> > 
> > You can use the DSA posting as a trigger.
> 
> Usually, cron-apt has already noticed that there is an update
> available before the DSA posting comes in.
> 
> How would you implement the automatism to trigger the update on the
> incoming e-mail?

How about a procmail rule?
There ought to be several ways for an implementation, each one will have
to rely on your mailserver or procmail positively identifying a
security-announcement.

then you can
- make the procmail rule call aptitude update && aptitude upgrade
  directly
- save the mail to a special place and make some other program trigger
  the update (via a db or perhaps FAM or a cron-job)

Greetings
Horst

-- 
The income tax has made more liars out of the American people than golf
has.  Even when you make a tax form out on the level, you don't know
when it's through if you are a crook or a martyr.
-- Will Rogers


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* Marc Haber:

> On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote:
>> * Geoff Crompton:
>> > I'm also wondering if security.debian.org has enough resources for every
>> > single debian box on the planet checking it every X minutes.
>> 
>> You can use the DSA posting as a trigger.
>
> Usually, cron-apt has already noticed that there is an update
> available before the DSA posting comes in.

This is by design; the DSA is delayed until the archive has been
updated properly (which means that it has arrived at all mirrors).

> How would you implement the automatism to trigger the update on the
> incoming e-mail?

I typically use an Exim .forward file which invokes a special script
using "pipe".  The script creates a file, and a cron job which runs
periodically checks for the existence of that file and performs the
desired action when it exists.  This means that DSA sent in quick
succession only trigger the action once.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Marc Haber]

On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote:
> * Geoff Crompton:
> > I'm also wondering if security.debian.org has enough resources for every
> > single debian box on the planet checking it every X minutes.
> 
> You can use the DSA posting as a trigger.

Usually, cron-apt has already noticed that there is an update
available before the DSA posting comes in.

How would you implement the automatism to trigger the update on the
incoming e-mail?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michael Stone <[EMAIL PROTECTED]> [2006.03.02.2032 +0100]:
> The explanation is far simpler--debian *does* have mirrors of 
> security.debian.org. At the moment I see three hosts in the rotation. 

Yeah, push, not pull mirrors.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"if one cannot enjoy reading a book over and over again,
 there is no use in reading it at all."
-- oscar wilde


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.02.2006 +0100]:
> By default, package authenticity is not validated in sarge and
> earlier releases.  From a security POV, it's better to download
> those updates from a limited set of well-maintained servers. It
> reduces the attack surface somewhat.

Sure it does. But it cannot be the reason why there are no
officially-endorsed mirrors -- I'd just upload my trojans to sarge's
archive with a higher version number then.

http://www.debian.org/security/faq#mirror

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"doesn't he know who i think i am?"
 -- phil collins


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Michael Stone]

On Thu, Mar 02, 2006 at 08:06:07PM +0100, Florian Weimer wrote:

* martin f. krafft:

Why then do you think security.d.o is not mirrored by Debian?


Our mirror network is not actually well-known for its integrity (think


The explanation is far simpler--debian *does* have mirrors of 
security.debian.org. At the moment I see three hosts in the rotation. 
Why not add more? Well, what problem does that solve? 


--
Michael Stone


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* Geoff Crompton:

> I'm also wondering if security.debian.org has enough resources for every
> single debian box on the planet checking it every X minutes.

You can use the DSA posting as a trigger.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* martin f. krafft:

>> One day more or less doesn't really matter.  So far, Debian security
>> updates predated widespread (semi-)automated exploits by weeks.
>
> Why then do you think security.d.o is not mirrored by Debian?

Our mirror network is not actually well-known for its integrity (think
paris.avi).  By default, package authenticity is not validated in
sarge and earlier releases.  From a security POV, it's better to
download those updates from a limited set of well-maintained servers.
It reduces the attack surface somewhat.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.01.2255 +0100]:
> > You are not really supposed to use those as they are pulled once
> > daily only, and security is a time-critical domain where sometimes
> > it's very important to have updates without any delays.
> 
> One day more or less doesn't really matter.  So far, Debian security
> updates predated widespread (semi-)automated exploits by weeks.

Why then do you think security.d.o is not mirrored by Debian?

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
security at micro$oft: how do we secure a billion dollar profit?


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Geoff Crompton]

Florian Weimer wrote:
> * martin f. krafft:
> 
> 
>>You are not really supposed to use those as they are pulled once
>>daily only, and security is a time-critical domain where sometimes
>>it's very important to have updates without any delays.
> 
> 
> One day more or less doesn't really matter.  So far, Debian security
> updates predated widespread (semi-)automated exploits by weeks.
> 
> 

I'm also wondering if security.debian.org has enough resources for every
single debian box on the planet checking it every X minutes.

-- 
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* martin f. krafft:

> You are not really supposed to use those as they are pulled once
> daily only, and security is a time-critical domain where sometimes
> it's very important to have updates without any delays.

One day more or less doesn't really matter.  So far, Debian security
updates predated widespread (semi-)automated exploits by weeks.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.25.2036 +0100]:
> debian-security is allready mirrored by some servers including
> 
> 

You are not really supposed to use those as they are pulled once
daily only, and security is a time-critical domain where sometimes
it's very important to have updates without any delays.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
no micro$oft components were used
in the creation or posting of this email.
therefore, it is 100% virus free
and does not use html by default (yuck!).


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-02-20 14:28:12, schrieb Michal Sabala:

> I'm considering starting to mirror security. I don't see a reason why
> security repository shouldn't be mirrored, while in reality tampering with
> packages on _any_ repository has the same outcome.

debian-security is allready mirrored by some servers including



so you are not allone.  Oh yes, I am mirroring d-s too plus the
rest around 600 GByte currently including DVD and CD's.

It will be time for WD to pull out 300 GByte Raptor SATA's.
I have only 6 x 150 GByte (Raid5) and 2 x 36 GByte (Raid1)

Greetings
Michelle Konzack
Systemadministrator


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Robert Lemmen]

On Tue, Feb 21, 2006 at 09:23:07AM +, Brett Parker wrote:
> *blink* - erm, just out of interest, how does this help? This is just
> going to stop packets from going to that IP, it's not going to stop
> things resolving to that IP, so instead of getting a slow connection
> you're just going to get a connection refused... seems like an odd way
> of doing things - maybe it would be better to use a local caching
> nameserver that you can configure to filter out that IP when there is
> more than one A record available instead? (I can't think of a simple way
> of doing that off the top of my head, though)

it is an odd way, but it is simple and it works because apt will use the
other records if the blocked one fails (i do the same). messing with
your /etc/hosts isn't much better...

cu  robert

-- 
Robert Lemmen   http://www.semistable.com 


signature.asc
Description: Digital signature

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Brett Parker <[EMAIL PROTECTED]> [2006.02.21.1023 +0100]:
> *blink* - erm, just out of interest, how does this help? This is just
> going to stop packets from going to that IP, it's not going to stop
> things resolving to that IP, so instead of getting a slow connection
> you're just going to get a connection refused...

... at which point APT will try the next record IIRC. I hope I am
not misremembering this...

> seems like an odd way of doing things - maybe it would be better
> to use a local caching nameserver that you can configure to filter
> out that IP when there is more than one A record available
> instead? (I can't think of a simple way of doing that off the top
> of my head, though)

It also bears the risk of hardcoding and forgetting, or missing an
update.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"if confronted with a choice between all the truth in god's right hand
 and the ever live struggle for truth, coupled with eternal error, in
 god's left, i would choose the left."
   -- gotthold lessing


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Brett Parker]

On Tue, Feb 21, 2006 at 09:18:16AM +0100, martin f krafft wrote:
> also sprach Michal Sabala <[EMAIL PROTECTED]> [2006.02.20.2328 +0100]:
> > host -t a security.debian.org
> > security.debian.org has address 82.94.249.158   <- slow
> 
> Please see 
>   http://lists.debian.org/debian-security/2006/02/msg00041.html
> 
> > Editing /etc/hosts to contain:
> > 128.101.80.133 security.debian.org
> > 
> > solves the problem. Our network is working properly BTW.
> 
> Please do not do this. A better fix is to REJECT 82.94.249.158/32
> with iptables:
> 
>   iptables -I OUTPUT -d 82.94.249.158/32 -j REJECT
> 
> (amend as needed). This leaves a round-robin of two servers rather
> than everyone banging on 128.101.80.133 (or the other one).

*blink* - erm, just out of interest, how does this help? This is just
going to stop packets from going to that IP, it's not going to stop
things resolving to that IP, so instead of getting a slow connection
you're just going to get a connection refused... seems like an odd way
of doing things - maybe it would be better to use a local caching
nameserver that you can configure to filter out that IP when there is
more than one A record available instead? (I can't think of a simple way
of doing that off the top of my head, though)

Cheers,
Brett.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michal Sabala <[EMAIL PROTECTED]> [2006.02.20.2328 +0100]:
> host -t a security.debian.org
> security.debian.org has address 82.94.249.158   <- slow

Please see 
  http://lists.debian.org/debian-security/2006/02/msg00041.html

> Editing /etc/hosts to contain:
> 128.101.80.133 security.debian.org
> 
> solves the problem. Our network is working properly BTW.

Please do not do this. A better fix is to REJECT 82.94.249.158/32
with iptables:

  iptables -I OUTPUT -d 82.94.249.158/32 -j REJECT

(amend as needed). This leaves a round-robin of two servers rather
than everyone banging on 128.101.80.133 (or the other one).

> Can somebody please take a look at 82.94.249.158 host/net please, please,
> please?

FWIW, this is not the list for such requests.
[EMAIL PROTECTED] are responsible for that.

> I'm considering starting to mirror security. I don't see a reason
> why security repository shouldn't be mirrored, while in reality
> tampering with packages on _any_ repository has the same outcome.

This has been discussed at length. Basically it's less to do with
tampering than with timeliness.

> Mike (not on the mailing list, please Cc).

Please set your Mail-Followup-Header correctly.

Cheers,

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"glaube heißt nicht wissen wollen, was wahr ist."
 - friedrich nietzsche


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Michal Sabala]

--- Rolf Kutz <[EMAIL PROTECTED]> wrote:

> * Quoting Michal Sabala ([EMAIL PROTECTED]):
> 
> > For the past month or so security updates have been very slow for us
> > (~5KB/sec). It appears that the first A record for the
> > security.debian.org is the problem.
> > 
> > host -t a security.debian.org
> > security.debian.org has address 82.94.249.158   <- slow
> > security.debian.org has address 128.101.80.133
> > security.debian.org has address 194.109.137.218
> 
> The order of the dns answers is random, IIRC:
> 
> ~$ dig +short security.debian.org A
> 128.101.80.133
> 194.109.137.218
> 82.94.249.158

Yes, I meant "the first of the records returned in the instance of host
below"

When doing updates, apt-get will connect to different A records of
security.debian.org, but the connection to 82.94.249.158 will always be the
slowest (at 5KB/sec) resulting in very long update times.

I saw that others also reported problems with tartini.debian.org
(82.94.249.158). Was anyone able to find out the cause? Where should one 
file a bug?

Thank You,

Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Rolf Kutz]

* Quoting Michal Sabala ([EMAIL PROTECTED]):

> For the past month or so security updates have been very slow for us
> (~5KB/sec). It appears that the first A record for the
> security.debian.org is the problem.
> 
> host -t a security.debian.org
> security.debian.org has address 82.94.249.158   <- slow
> security.debian.org has address 128.101.80.133
> security.debian.org has address 194.109.137.218

The order of the dns answers is random, IIRC:

~$ dig +short security.debian.org A
128.101.80.133
194.109.137.218
82.94.249.158

- Rolf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

first A record of security.debian.org extremely slow

[Michal Sabala]

For the past month or so security updates have been very slow for us
(~5KB/sec). It appears that the first A record for the
security.debian.org is the problem.

host -t a security.debian.org
security.debian.org has address 82.94.249.158   <- slow
security.debian.org has address 128.101.80.133
security.debian.org has address 194.109.137.218

Editing /etc/hosts to contain:
128.101.80.133 security.debian.org

solves the problem. Our network is working properly BTW.

Can somebody please take a look at 82.94.249.158 host/net please, please,
please?

I'm considering starting to mirror security. I don't see a reason why
security repository shouldn't be mirrored, while in reality tampering with
packages on _any_ repository has the same outcome.

Thanks,

Mike (not on the mailing list, please Cc).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]