Performance of security.debian.org?

[наб]

Hi!

Just now I upgraded firefox-esr on bookworm, from bookworm-security.
It's 60M, apt showed me ~90kB/s and projected 10 minutes.
And it did take like 10 minutes.

Two days ago, apt update projected to take, and took,
on the same order of time, I think also on security.d.o.
I gave up and pulled the package off snapshot.d.o,
so I didn't measure how long it would've taken to download.

Searching through the archives, I see a note about dropping rsync in
  https://lists.debian.org/debian-mirrors-announce/2019/11/msg0.html
which notes that security.d.o is available in HTTP at security.d.o only,
with mirrors discouraged, and a post about a security-cdn.d.o in
  https://lists.debian.org/debian-user/2018/08/msg01196.html
though while that user saw a security.d.o -> security-cdn.d.o redirect
I cannot reproduce this, and I see an identical rate when pulling from
security-cdn.d.o, an idential set of headers (two varnishes, two HITs),
and no redirects.

The latter links to https://www.debian.org/mirror/ftpmirror#what which says
> The debian-security/ archives contain the security updates released by
> the Debian security team. While it sounds interesting to everyone, we
> do not recommend to our users to use mirrors to obtain security
> updates and instead ask them to directly download them from our
> distributed security.debian.org service. We recommend debian-security
> not be mirrored.

OTOH, security.d.o points to some fastly-assigned IPs directly whereas
security-cdn.d.o is CNAME debian.map.fastlydns.net.

OTOOH, that mail is the /only/ place I see security-cdn.d.o referenced,
and https://www.debian.org/security/ doesn't list it as a mirror.
Well, AFAICT, most debian.org pages consider "the archive" and "mirrors"
to apply to the main archive only, and security.d.o may as well not
exist.

OTOOOH, this is the type of performance I'd expect from downloading
something off an uncached primary mirror in skibidi, ohio
(like, in recent memory, ftp.netbsd.org achieving 37.4kB/s
 vs its undocumented cdn.netbsd.org address which, uh. works).

Conversely, the "distributed" deb.debian.org address which is /also/
CNAME debian.map.fastlydns.net. yields normal speeds. This had also
been the case for security.d.o on the order of weeks-and-months back.

So, to this end:
  is this state expected?
  is this change expected?
  is this performance expected?
  if not, why not mirror security.d.o?

Thanks,
наб


signature.asc
Description: PGP signature

Re: Bullseye security.debian.org codename misconfigured?

[Cindy Sue Causey]

On 1/23/22, Stefan Fritsch  wrote:
> Am 22.01.22 um 21:07 schrieb Bjørn Mork:
>> Stefan Fritsch  writes:
>>
>>> # cat /etc/apt/apt.conf.d/11-default-release
>>> APT::Default-Release "bullseye";
>>
>> Just don't do that.  It breaks all normal preferences and will end up
>> preferring "bullseye" over anything else.  Including
>> "bullseye-security".
>
> This used to work until buster. But it turns out the release-notes
> mention this problem and the correct syntax is now:
>
> APT::Default-Release "/^bullseye(|-security|-updates)$/";
>
>
> The failure mode of silently not installing security updates is bad,
> though. But I don't see an easy way to fix that. Maybe apt should print
> a warning if one uses a simple codename as Default-Release?


Congratulations on finding the fix. That's cool. It falls in line with
how the repositories are declared.

With respect to a proposed warning, I spent years naively a-suming
that security updates were part of the primary, single line repository
declaration. A little 4-watt light bulb went off overhead during a
Debian-User exchange a couple years ago. Prior to that thread, I'd
been on outside security tech lists and had seen major update
advisories but could never figure out why I was not seeing those same
packages update on my Debian.

This type of ongoing warning might upset some longstanding Users...
unless there was a way to have it only be once a month.. or.. maybe
have a way to trigger it off permanently via the command line
interface for e.g. apt and apt-get.

Another alternative could evolve into a teaching moment by having a
warning state where to turn the warning OFF in e.g. an apt or apt-get
config file. It could be something like the very fix found for this
current thread.

That might lead newer users to explore those types of files more and
thus learn more about the inner workings of Debian. It was something
along those lines that triggered my interest in regularly tearing into
my own install's files a number of years ago now. :)

Cindy :)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA
* runs with birdseed *

Re: Bullseye security.debian.org codename misconfigured?

[Stefan Fritsch]

Am 22.01.22 um 21:07 schrieb Bjørn Mork:

Stefan Fritsch  writes:


# cat /etc/apt/apt.conf.d/11-default-release
APT::Default-Release "bullseye";


Just don't do that.  It breaks all normal preferences and will end up
preferring "bullseye" over anything else.  Including
"bullseye-security".


This used to work until buster. But it turns out the release-notes 
mention this problem and the correct syntax is now:


APT::Default-Release "/^bullseye(|-security|-updates)$/";


The failure mode of silently not installing security updates is bad, 
though. But I don't see an easy way to fix that. Maybe apt should print 
a warning if one uses a simple codename as Default-Release?

Re: Bullseye security.debian.org codename misconfigured?

[Bjørn Mork]

Stefan Fritsch  writes:

> # cat /etc/apt/apt.conf.d/11-default-release
> APT::Default-Release "bullseye";

Just don't do that.  It breaks all normal preferences and will end up
preferring "bullseye" over anything else.  Including
"bullseye-security".

Use preferences instead if you need to tweak anything.  See
apt_preferences(5)


Bjørn

Re: Bullseye security.debian.org codename misconfigured?

[Ulf Volmer]

On 22.01.22 11:09, Stefan Fritsch wrote:


  *** 5.10.84-1 990


The 990 looks like pinning for me.

Best regards
Ulf

Re: Bullseye security.debian.org codename misconfigured?

[Gian Piero Carrubba]

* [Sat, Jan 22, 2022 at 11:09:20AM +0100] Stefan Fritsch:
I think the bullseye-security codename should be "bullseye" instead.  
Or am I missing something


The repo naming scheme has changed with bullseye. I do not have the 
announcement at hands, however the old '/updates' is now 
'-security', see https://www.debian.org/security/.


Hth,
Gian Piero.

Re: Bullseye security.debian.org codename misconfigured?

[Stefan Fritsch]

Hi Viktor,

Am 22.01.22 um 11:34 schrieb SZÉPE Viktor:

Idézem/Quoting Stefan Fritsch :


I have noticed that the latest linux security update is not installed 
on my box. The package is available in


# apt-cache policy linux-image-amd64
linux-image-amd64:
  Installed: 5.10.84-1
  Candidate: 5.10.84-1
  Version table:
 5.15.15-1 500
    500 http://mirror.hetzner.de/debian/packages unstable/main 
amd64 Packages

 5.10.92-1 500
    500 http://security.debian.org bullseye-security/main amd64 
Packages

 *** 5.10.84-1 990
    990 http://mirror.hetzner.de/debian/packages bullseye/main 
amd64 Packages

    100 /var/lib/dpkg/status


Hello Stefan!

Try adding

deb http://deb.debian.org/debian-security bullseye-security main contrib 
non-free


Please see https://wiki.debian.org/NewInBullseye#Changes


This does not change anything and I did not expect it to. It would be 
rather strange if different URLs had different code-name settings. It is 
not that apt cannot load the lists, it just does not recognize that 
bullseye-security is the same as bullseye.


Cheers,
Stefan

Re: Bullseye security.debian.org codename misconfigured?

[SZÉPE Viktor]

Idézem/Quoting Stefan Fritsch :


Hi,

I have noticed that the latest linux security update is not  
installed on my box. The package is available in


# apt-cache policy linux-image-amd64
linux-image-amd64:
  Installed: 5.10.84-1
  Candidate: 5.10.84-1
  Version table:
 5.15.15-1 500
500 http://mirror.hetzner.de/debian/packages unstable/main  
amd64 Packages

 5.10.92-1 500
500 http://security.debian.org bullseye-security/main amd64 Packages
 *** 5.10.84-1 990
990 http://mirror.hetzner.de/debian/packages bullseye/main  
amd64 Packages

100 /var/lib/dpkg/status


Hello Stefan!

Try adding

deb http://deb.debian.org/debian-security bullseye-security main  
contrib non-free


Please see https://wiki.debian.org/NewInBullseye#Changes


SZÉPE Viktor, webes alkalmazás üzemeltetés / Running your application
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
~~~
ügyelet 🌶️ hotline: +36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület






smime.p7s
Description: S/MIME Signature

Bullseye security.debian.org codename misconfigured?

[Stefan Fritsch]

Hi,

I have noticed that the latest linux security update is not installed on 
my box. The package is available in


# apt-cache policy linux-image-amd64
linux-image-amd64:
  Installed: 5.10.84-1
  Candidate: 5.10.84-1
  Version table:
 5.15.15-1 500
500 http://mirror.hetzner.de/debian/packages unstable/main 
amd64 Packages

 5.10.92-1 500
500 http://security.debian.org bullseye-security/main amd64 
Packages

 *** 5.10.84-1 990
990 http://mirror.hetzner.de/debian/packages bullseye/main 
amd64 Packages

100 /var/lib/dpkg/status


But apt-get dist-upgrade does not install it. I have

# cat /etc/apt/apt.conf.d/11-default-release
APT::Default-Release "bullseye";

and bullseye-security has

# grep -i code 
/var/lib/apt/lists/security.debian.org_dists_bullseye-security_InRelease

Codename: bullseye-security

while on buster, it's:

$ grep -i code 
/var/lib/apt/lists/security.debian.org_dists_buster_updates_InRelease

Codename: buster

No -security there.

I have no apt pinning configured on my box.

I think the bullseye-security codename should be "bullseye" instead. Or 
am I missing something


Cheers,
Stefan

Re: deb.debian.org vs security.debian.org

[piorunz]

On 19/08/2021 07:25, Daniel Lewart wrote:

Debian Security,

Is there a preferred sources.list URI for the Debian security
repository between:
   * http://deb.debian.org/debian-security
   * http://security.debian.org/debian-security


Default is freshly installed system is
deb http://security.debian.org/debian-security

I know because I installed bullseye fresh from installer.

Perhaps you could stick to that.


--

With kindest regards, piorunz.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄

Re: deb.debian.org vs security.debian.org

[Gian Piero Carrubba]

* [Thu, Aug 19, 2021 at 01:25:00AM -0500] Daniel Lewart:

Is there a preferred sources.list URI for the Debian security
repository between:
 * http://deb.debian.org/debian-security
 * http://security.debian.org/debian-security

I asked in debian-devel and received two replies:
 * https://lists.debian.org/debian-devel/2021/08/msg00166.html
 * https://lists.debian.org/debian-devel/2021/08/msg00167.html
 * https://lists.debian.org/debian-devel/2021/08/msg00172.html
but no consensus.


AFAIK, what Peter said ("the security updates repository is 
intentionally not supposed to be mirrored") was true for a long time, 
but isn't since a while. I guess the bandwidth requirements became too 
onerous. As pabs said, currently "both of these URLs point at the Fastly 
CDN, so they are equivalent". Just pick one.


Ciao,
Gian Piero.

Re: deb.debian.org vs security.debian.org

[Daniel Lewart]

Georgi Naplatanov wrote:

> I have no opinion but found this
> https://wiki.debian.org/SourcesList

SZÉPE Viktor wrote:

> And there is this
> https://wiki.debian.org/NewInBullseye#Changes

Both of these were referenced in my original message:
https://lists.debian.org/debian-devel/2021/08/msg00166.html

Dan
Urbana, Illinois

Re: deb.debian.org vs security.debian.org

[SZÉPE Viktor]

Idézem/Quoting Georgi Naplatanov :


On 8/19/21 09:25, Daniel Lewart wrote:

Debian Security,

Is there a preferred sources.list URI for the Debian security
repository between:
  * http://deb.debian.org/debian-security
  * http://security.debian.org/debian-security

I asked in debian-devel and received two replies:
  * https://lists.debian.org/debian-devel/2021/08/msg00166.html
  * https://lists.debian.org/debian-devel/2021/08/msg00167.html
  * https://lists.debian.org/debian-devel/2021/08/msg00172.html
but no consensus.



I have no opinion but found this

https://wiki.debian.org/SourcesList

Kind regards
Georgi


And there is this

https://wiki.debian.org/NewInBullseye#Changes



SZÉPE Viktor, webes alkalmazás üzemeltetés / Running your application
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
~~~
ügyelet 🌶️ hotline: +36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület






smime.p7s
Description: S/MIME Signature

Re: deb.debian.org vs security.debian.org

[Georgi Naplatanov]

On 8/19/21 09:25, Daniel Lewart wrote:
> Debian Security,
> 
> Is there a preferred sources.list URI for the Debian security
> repository between:
>   * http://deb.debian.org/debian-security
>   * http://security.debian.org/debian-security
> 
> I asked in debian-devel and received two replies:
>   * https://lists.debian.org/debian-devel/2021/08/msg00166.html
>   * https://lists.debian.org/debian-devel/2021/08/msg00167.html
>   * https://lists.debian.org/debian-devel/2021/08/msg00172.html
> but no consensus.
> 

I have no opinion but found this

https://wiki.debian.org/SourcesList

Kind regards
Georgi

deb.debian.org vs security.debian.org

[Daniel Lewart]

Debian Security,

Is there a preferred sources.list URI for the Debian security
repository between:
  * http://deb.debian.org/debian-security
  * http://security.debian.org/debian-security

I asked in debian-devel and received two replies:
  * https://lists.debian.org/debian-devel/2021/08/msg00166.html
  * https://lists.debian.org/debian-devel/2021/08/msg00167.html
  * https://lists.debian.org/debian-devel/2021/08/msg00172.html
but no consensus.

Thank you!
Daniel Lewart
Urbana, Illinois

Re: Bug#913913: Bug#931524: security.debian.org: bullseye security updates may be silently skipped on systems using apt pinning

[Piotr Engelking]

Julian Andres Klode :

> This seems the "best" outcome. In any case, we have about 2 years to
> figure this out and should keep things this way for now.

[...]

> Anyhow, we've got two years to fix this, no need to rush a "fix" out
> now.

One year has passed without rushing a fix, or any other action.

Are there any plans to address the issue before security updates start breaking?

rsync service on security.debian.org discontinued (use rsync.security.d.o instead)

[Julien Cristau]

Hi all,

As a reminder, in November[0] I wrote:

> For a long time, the Debian security mirrors have served the security
> archive via both HTTP and rsync.  As part of improving the reliability
> of security.debian.org for our users, the Debian mirrors team is going
> to separate those services to different host names:
> - http://security.debian.org/debian-security/ will remain the entry
>   point for HTTP clients such as apt
> - rsync://rsync.security.debian.org/debian-security/ is now
>   available for users and organizations who wish to mirror the entire
>   security archive.  (Though as noted at
>   https://www.debian.org/mirror/ftpmirror#what we do *not* recommend
>   doing this.)
> 
> rsync service on security.debian.org will stop in the near future (some
> time after the end of this month), and we encourage anyone relying on it
> to migrate to the new host name as soon as possible.

That has now happened.  security.debian.org no longer accepts
connections using rsync, so for continued mirroring of the security
archive you need to update your configuration to the new name.

[0]: https://lists.debian.org/debian-mirrors-announce/2019/11/msg0.html

Thanks,
Julien, for the Debian mirrors team


signature.asc
Description: PGP signature

discontinuing rsync service on security.debian.org

[Julien Cristau]

Hi,

For a long time, the Debian security mirrors have served the security
archive via both HTTP and rsync.  As part of improving the reliability
of security.debian.org for our users, the Debian mirrors team is going
to separate those services to different host names:
- http://security.debian.org/debian-security/ will remain the entry
  point for HTTP clients such as apt
- rsync://rsync.security.debian.org/debian-security/ is now
  available for users and organizations who wish to mirror the entire
  security archive.  (Though as noted at
  https://www.debian.org/mirror/ftpmirror#what we do *not* recommend
  doing this.)

rsync service on security.debian.org will stop in the near future (some
time after the end of this month), and we encourage anyone relying on it
to migrate to the new host name as soon as possible.

Thanks,
Julien, for the Debian mirrors team


signature.asc
Description: PGP signature

Re: Certificate errors with security.debian.org

[Paul Wise]

On Sun, Jan 15, 2017 at 1:41 PM, Tea Wrex wrote:

> I am unable to make HTTPS connections to https://security.debian.org/

security.d.o has never supported https. Some of the machines behind it
also host other services, some of which support https, which is why
you get certificate errors.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Certificate errors with security.debian.org

[Lupe Christoph]

On Sunday, 2017-01-15 at 07:40:40 +0100, Scrap wrote:
> Are you sure the URL is correct? If i try to connect to
> https://security.debian.org/ from Chrome I revice:" ERR_CONNECTION_REFUSED".
> If i try with out https i'm redirect to https://www.debian.org/security/ and
> this site have a trusted certificate.

$ telnet -4 -z ssl -z debug security.debian.org 443
Trying 212.211.132.32...
Trying 212.211.132.250...
Trying 195.20.242.89...
telnet: Unable to connect to remote host: Connection refused

I have no IPv6 internet access, so I can't try that.

HTH,
Lupe Christoph
-- 
| As everyone knows, it was predicted that the world would end last   |
| Wednesday at 10:00 PST.  Since there appears to be a world in existence |
| now, the entire universe must therefore have been recreated, complete   |
| with an apparent "history", last *Thursday*.  QED.  |
| Seanna Watson, <1992nov2.165142.11...@bcrka451.bnr.ca>  |

Re: Certificate errors with security.debian.org

[Scrap]

Are you sure the URL is correct? If i try to connect to 
https://security.debian.org/ from Chrome I revice:" 
ERR_CONNECTION_REFUSED". If i try with out https i'm redirect to 
https://www.debian.org/security/ and this site have a trusted certificate.



On 01/15/2017 06:41 AM, Tea Wrex wrote:
I am unable to make HTTPS connections to https://security.debian.org/ 
... My browser said my connection is insecure when I attempt to visit 
that site.


Also, the report from SSL Labs says the site is not trusted.

https://www.ssllabs.com/ssltest/analyze.html?d=security.debian.org

What is the point of being able to use HTTPS in Apt's source.list if 
we cannot connect to security updates with HTTPS ?


Yes, I understand that the security servers certificate authority is 
not loaded in my browser in Debian. Why is that? Your newest release 
added several certificate authorities, why not add your own?


Please let us Debian users connect securely to 
https://security.debian.org/


You know about https://letsencrypt.org/ Why not use a certificate from 
them in order to get your certificates trusted? Or else fix your trust 
issue another way. PLEASE?!


Thanks!

Certificate errors with security.debian.org

[Tea Wrex]

I am unable to make HTTPS connections to https://security.debian.org/ ...
My browser said my connection is insecure when I attempt to visit that site.

Also, the report from SSL Labs says the site is not trusted.

https://www.ssllabs.com/ssltest/analyze.html?d=security.debian.org

What is the point of being able to use HTTPS in Apt's source.list if we
cannot connect to security updates with HTTPS ?

Yes, I understand that the security servers certificate authority is not
loaded in my browser in Debian. Why is that? Your newest release added
several certificate authorities, why not add your own?

Please let us Debian users connect securely to https://security.debian.org/

You know about https://letsencrypt.org/ Why not use a certificate from them
in order to get your certificates trusted? Or else fix your trust issue
another way. PLEASE?!

Thanks!

Re: Possible out of date mirrors of security.debian.org

[Peter Palfrader]

On Wed, 06 Jan 2016, Alex Brett wrote:

> Grabbing dists/jessie/updates/InRelease from each of these and
> looking at the Date header, two of them appear to be a few days out
> of date:
> InRelease.128.101.240.215:Date: Sun, 03 Jan 2016 20:01:14 UTC
> InRelease.128.31.0.63:Date: Wed, 06 Jan 2016 12:00:52 UTC
> InRelease.128.61.240.73:Date: Wed, 06 Jan 2016 12:00:52 UTC
> InRelease.149.20.20.19:Date: Sun, 03 Jan 2016 20:01:14 UTC
> 
> This has caused me to end up getting some hash sum mismatches by
> grabbing different bits from different IPs etc, so I imagine may be
> causing other people issues as well - is anybody able to resolve
> this?

Thanks for the report.  Fixed now, I think.

Cheers,
-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Possible out of date mirrors of security.debian.org

[Alex Brett]

Hi,

From a host on the West Coast of the US security.debian.org resolves to 
the following IPs:


149.20.20.19
128.101.240.215
128.31.0.63
128.61.240.73

Grabbing dists/jessie/updates/InRelease from each of these and looking 
at the Date header, two of them appear to be a few days out of date:

InRelease.128.101.240.215:Date: Sun, 03 Jan 2016 20:01:14 UTC
InRelease.128.31.0.63:Date: Wed, 06 Jan 2016 12:00:52 UTC
InRelease.128.61.240.73:Date: Wed, 06 Jan 2016 12:00:52 UTC
InRelease.149.20.20.19:Date: Sun, 03 Jan 2016 20:01:14 UTC

This has caused me to end up getting some hash sum mismatches by 
grabbing different bits from different IPs etc, so I imagine may be 
causing other people issues as well - is anybody able to resolve this?


Many thanks,
Alex Brett

W: Failed to fetch http://security.debian.org/dists/wheezy/updates/Release

[AreYouLoco?]

I am trying to build my live system using live build from git
repository-> version 4.0.3-1.

And I enabled --security "true" \ LB_SECURITY="true" option. I get:

W: Failed to fetch
http://security.debian.org/dists/wheezy/updates/Release  Unable to find
expected entry 'wheezy/updates/binary-i386/Packages' in Release file
(Wrong sources.list entry or malformed file)

E: Some index files failed to download. They have been ignored, or old
ones used instead.

And I checked and really there is no such a file on the server but apt
should automaticly choose Packages.bz2 or Packages.gz.

http://security.debian.org/dists/wheezy/updates/main/binary-i386/
[ICO]   NameLast modified   Size
[DIR]   Parent Directory-
[ ] Packages.bz220-Nov-2014 16:31   219K
[ ] Packages.gz 20-Nov-2014 16:31   272K
[ ] Release 04-Dec-2012 08:21   98
Apache Server at security.debian.org Port 80

I tried:

1. Adding:
-oAcquire::CompressionTypes::Order='bz2 gz'
-oAcquire::CompressionTypes::Order='bz2'
-oAcquire::CompressionTypes::Order='gz'
-oAcquire::CompressionTypes::Order='bz2, gz'
-oAcquire::CompressionTypes::Order='bz2; gz'


TO
--apt-options "" \ APT_OPTIONS=""

No success.

2. Adding rule:

Acquire::CompressionTypes::Order "bz2 gz";

TO
/config/apt/apt.conf
/config/includes.chroot/etc/apt.conf
/config/includes.binary/etc/apt.conf
/config/includes.bootstrap/etc/apt.conf

No success.

Cheers!
What now?





signature.asc
Description: OpenPGP digital signature

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Michael Gilbert]

On Mon, Nov 11, 2013 at 11:20 PM, Paul Wise wrote:
> On Tue, Nov 12, 2013 at 6:30 AM, Michael Gilbert wrote:
>
>> Which confirms my point.  That asterisk update, for example, required
>> no new package dependencies outside the security archive.
>
> You said no deps outside the security archive, not no new deps outside
> the security archive.

I agree, those 4 characters would have eliminated any opportunity for
that statement to be misread.

Best wishes,
Mike


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CANTw=MMg_4Ue=be1jzw1anpkmfy9d_nh4dzfopha6pqpdqz...@mail.gmail.com

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Paul Wise]

On Tue, Nov 12, 2013 at 6:30 AM, Michael Gilbert wrote:

> Which confirms my point.  That asterisk update, for example, required
> no new package dependencies outside the security archive.

You said no deps outside the security archive, not no new deps outside
the security archive.

Anyway, the point is that the security archive is not self-contained
like oldstable, stable, testing, unstable are, you always need the
main suite as well.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/caktje6gaoayxjuhtpm06ujv+xnsk36f0rtccwzmxlk6ikq_...@mail.gmail.com

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Michael Gilbert]

On Mon, Nov 11, 2013 at 5:06 PM, Bastian Blank  wrote:
> On Mon, Nov 11, 2013 at 04:56:27PM -0500, Michael Gilbert wrote:
>> That isn't quite right since excepting mistakes, security updates will
>> never require packages outside the security archive.
>
> This is incorrect:
>
> | Package: asterisk-mysql
> | Depends: […] libc6 (>= 2.4), […]
>
> | $ apt-cache policy asterisk-mysql | grep wheezy
> | 500 http://security.debian.org/ wheezy/updates/main amd64 Packages
> | 500 http://ftp.de.debian.org/debian/ wheezy/main amd64 Packages
>
> libc6 is _not_ shipped in the security archive:
>
> | $ apt-cache policy libc6 | grep wheezy
> | 500 http://ftp.de.debian.org/debian/ wheezy/main amd64 Packages

Which confirms my point.  That asterisk update, for example, required
no new package dependencies outside the security archive.

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CANTw=MO_n2vX2ot8xoQAGrisyr�yv3xcwcwr_scdrg_ou...@mail.gmail.com

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Bastian Blank]

On Mon, Nov 11, 2013 at 04:56:27PM -0500, Michael Gilbert wrote:
> That isn't quite right since excepting mistakes, security updates will
> never require packages outside the security archive.

This is incorrect:

| Package: asterisk-mysql
| Depends: […] libc6 (>= 2.4), […]

| $ apt-cache policy asterisk-mysql | grep wheezy
|     500 http://security.debian.org/ wheezy/updates/main amd64 Packages
| 500 http://ftp.de.debian.org/debian/ wheezy/main amd64 Packages

libc6 is _not_ shipped in the security archive:

| $ apt-cache policy libc6 | grep wheezy
| 500 http://ftp.de.debian.org/debian/ wheezy/main amd64 Packages

Bastian

-- 
Without facts, the decision cannot be made logically.  You must rely on
your human intuition.
-- Spock, "Assignment: Earth", stardate unknown


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2013220622.ga18...@mail.waldi.eu.org

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Michael Gilbert]

On Mon, Nov 11, 2013 at 6:17 AM, Norbert Kiszka wrote:
> Missing dependencies can break upgrade. For ex. one package from
> security-update can depend on other package, so it will not be
> installed. Unless You install it by hand.

That isn't quite right since excepting mistakes, security updates will
never require packages outside the security archive.

Best wishes,
Mike


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CANTw=MMe11KAMAZmqaqZnW=bs-1smrtq+2ccknx-arhe9pk...@mail.gmail.com

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Norbert Kiszka]

Dnia 2013-11-10, nie o godzinie 19:50 +, adrelanos pisze:
> Hi!
> 
> How (un)safe would it be...? When using Debian while...
> 
> Not using:
> deb http://ftp.us.debian.org/debian stable main contrib non-free
> deb http://security.debian.org stable/updates main contrib non-free
> 
> Only using:
> deb http://security.debian.org stable/updates main contrib non-free
> 
> Does that change when using testing instead of stable? I.e...
> 
> Not using:
> deb http://ftp.us.debian.org/debian testing main contrib non-free
> deb http://security.debian.org testing/updates main contrib non-free
> 
> Only using:
> deb http://security.debian.org testing/updates main contrib non-free
> 
> Or the same question in other words: are sometimes updates fixing
> security issues released though repositories other than the security
> repository?
> 
> Why would someone interested in doing that? Getting fewer updates,
> saving bandwidth, time and system load.
> 
> Cheers,
> adrelanos
> 
> 

Missing dependencies can break upgrade. For ex. one package from
security-update can depend on other package, so it will not be
installed. Unless You install it by hand.



-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1384168678.23935.39.ca...@rh1.com.pl

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Sebastian Günther]

* adrelanos (adrela...@riseup.net) [10.11.13 20:51]:
> Hi!
> 
> How (un)safe would it be...? When using Debian while...
> 
> Not using:
> deb http://ftp.us.debian.org/debian stable main contrib non-free
> deb http://security.debian.org stable/updates main contrib non-free
> 
> Only using:
> deb http://security.debian.org stable/updates main contrib non-free

the other problem is, that you will not be able to install any software 
which has never received any security fix:
e.g. neither vim nor nano are in the pool dir on that mirror.

Sebastian

-- 
 " Religion ist das Opium des Volkes. "  |   _   ASCII ribbon campaign 
  Karl Marx  |  ( )   against HTML e-mail  
 SEB@STI@N GÜNTHER   |   X   against M$ attachments
   mailto:deb...@teageek.de  |  / \   www.asciiribbon.org  


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20131110235942.ga2...@marvin.heimnetz.teageek.de

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[intrigeri]

adrelanos wrote (10 Nov 2013 19:50:12 GMT) :
> Or the same question in other words: are sometimes updates fixing
> security issues released though repositories other than the security
> repository?

Yes: see every {,old}stable point-release release notes.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/8561s0ovpn@boum.org

Re: How (un)safe would Debian be when only using the security.debian.org repository?

[Michael Gilbert]

On Sun, Nov 10, 2013 at 2:50 PM, adrelanos wrote:
> Hi!
>
> How (un)safe would it be...? When using Debian while...
>
> Not using:
> deb http://ftp.us.debian.org/debian stable main contrib non-free
> deb http://security.debian.org stable/updates main contrib non-free
>
> Only using:
> deb http://security.debian.org stable/updates main contrib non-free

You would no longer get any point release updates, which while only
occurring every few months, often involve a lot of minor security
updates.

> Not using:
> deb http://ftp.us.debian.org/debian testing main contrib non-free
> deb http://security.debian.org testing/updates main contrib non-free
>
> Only using:
> deb http://security.debian.org testing/updates main contrib non-free

You would no longer get any updates at all, security or otherwise,
since testing security updates no longer done via uploads to
testing-security.  They are done via uploads to unstable that
eventually transition.

Best wishes,
Mike


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CANTw=mnzk1x_5gv5zv2o+xgqrbokbj4f5q5bm6fkmy-nyo5...@mail.gmail.com

How (un)safe would Debian be when only using the security.debian.org repository?

[adrelanos]

Hi!

How (un)safe would it be...? When using Debian while...

Not using:
deb http://ftp.us.debian.org/debian stable main contrib non-free
deb http://security.debian.org stable/updates main contrib non-free

Only using:
deb http://security.debian.org stable/updates main contrib non-free

Does that change when using testing instead of stable? I.e...

Not using:
deb http://ftp.us.debian.org/debian testing main contrib non-free
deb http://security.debian.org testing/updates main contrib non-free

Only using:
deb http://security.debian.org testing/updates main contrib non-free

Or the same question in other words: are sometimes updates fixing
security issues released though repositories other than the security
repository?

Why would someone interested in doing that? Getting fewer updates,
saving bandwidth, time and system load.

Cheers,
adrelanos


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/527fe374.3090...@riseup.net

Re: apt can't reach security.debian.org

[Thijs Kinkhorst]

On Thu, September 5, 2013 23:17, Luke L wrote:
> as root, I issue:
> apt-get update
>
> I get errors such as:
> Err http://security.debian.org squeeze/updates/main amd64 Packages
>   503  Forwarding failure

This error is most probably generated by some intermediate proxy between
your system and security.debian.org. Are you perhaps using a proxy, for
example something local like privoxy?


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/9a9568717ab1588a7d171d9120e3971f.squir...@aphrodite.kinkhorst.nl

Re: apt can't reach security.debian.org

[Jérémie Balagna-Ranin]

Hello,

I see :
---
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
---

Why have you both squeeze and wheezy in your sources.list ?

Thanks,
*Jérémie Balagna-Ranin**
Apprenti en ingénierie Informatique à EPITA*


2013/9/5 Luke L 

> as root, I issue:
> apt-get update
>
> I get errors such as:
> Err http://security.debian.org squeeze/updates/main amd64 Packages
>   503  Forwarding failure
>
> Is this something to worry about?
>
> The relevant lines in my /etc/apt/sources.list are:
> deb http://security.debian.org/ wheezy/updates main contrib non-free
> deb http://security.debian.org/ squeeze/updates main contrib non-free
> deb-src http://security.debian.org/ squeeze/updates main contrib non-free
>
> Thanks for any insight
>
>

apt can't reach security.debian.org

[Luke L]

as root, I issue:
apt-get update

I get errors such as:
Err http://security.debian.org squeeze/updates/main amd64 Packages
  503  Forwarding failure

Is this something to worry about?

The relevant lines in my /etc/apt/sources.list are:
deb http://security.debian.org/ wheezy/updates main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free

Thanks for any insight

Re: About adding security.debian.org ipv6 to iptables, which range should we add?

[Stephen Gran]

Hello,

This one time, at band camp, Stefan Eriksson said:
> Hi now and again we get a timeout when looking up
> security.debian.org while running apt-get update. We have traced it
> to the ipv6's we get. It seems like they change (and as ipv6 have
> prio over ipv4 we are affected) Which ipv6 range should we open for
> in iptables to have full access to security.debian.org over ipv6?
> (also ipv4 would be great but this doesnt seem to change .) we'd
> like to have the ip ranges so we can open for these, so we dont have
> to re lookup the domain/running the same rule again.
> 
> a dig today gives three pointers and a few days ago we had a
> different result

security.debian.org is a set of mirrors, but what answer you get
depends on where in the world you appear to be coming from, and
maintenance periods and so on.

You can look here: http://db.debian.org/machines.cgi for all the
machines with a 'purpose' field set to 'security.debian.org mirror', and
hope that you can keep up to date, or you can use a web proxy for
outbound access.

Cheersm
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :sg...@debian.org |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


signature.asc
Description: Digital signature

Re: About adding security.debian.org ipv6 to iptables, which range should we add?

[Florian Weimer]

* Stefan Eriksson:

> Hi now and again we get a timeout when looking up security.debian.org
> while running apt-get update. We have traced it to the ipv6's we
> get. It seems like they change (and as ipv6 have prio over ipv4 we are
> affected) Which ipv6 range should we open for in iptables to have full
> access to security.debian.org over ipv6? (also ipv4 would be great but
> this doesnt seem to change .)

The IPv6 addresses change as well.  You should use a
tightly-controlled proxy or an internal mirror.


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87k3nckly1@mid.deneb.enyo.de

About adding security.debian.org ipv6 to iptables, which range should we add?

[Stefan Eriksson]

Hi now and again we get a timeout when looking up security.debian.org 
while running apt-get update. We have traced it to the ipv6's we get. It 
seems like they change (and as ipv6 have prio over ipv4 we are affected) 
Which ipv6 range should we open for in iptables to have full access to 
security.debian.org over ipv6? (also ipv4 would be great but this doesnt 
seem to change .) we'd like to have the ip ranges so we can open for 
these, so we dont have to re lookup the domain/running the same rule again.


a dig today gives three pointers and a few days ago we had a different 
result


Thanks.
Stefan


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5183a3f2.4020...@glesys.se

Re: Wrong checksum on security.debian.org Squeeze source?

[Mark Hymers]

On Mon, 25, Apr, 2011 at 09:27:04AM +, Colin Watson spoke thus..
> Agreed.  I see
> http://security.debian.org/dists/squeeze/updates/Release.new with a
> timestamp more like Packages.bz2; the Release and Release.gpg files have
> timestamps eight hours or so earlier.  It looks to me as if the archive
> run was interrupted part-way through, or failed.  CCing ftpmaster.

A fix should be heading to the security mirrors now.

Mark

-- 
Mark Hymers 

"Don't you hate those Claims Direct adverts?
 'I slipped on a banana skin and sued the Dominican Republic!'"
 Linda Smith on the News Quiz talking about the Compensation Culture


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110425110936.ga10...@hymers.org.uk

Re: Wrong checksum on security.debian.org Squeeze source?

[Colin Watson]

On Mon, Apr 25, 2011 at 11:19:25AM +0200, Yves-Alexis Perez wrote:
> W: Failed to fetch
> http://security.debian.org/dists/squeeze/updates/main/binary-amd64/Packages.bz2
>   Hash Sum mismatch

Agreed.  I see
http://security.debian.org/dists/squeeze/updates/Release.new with a
timestamp more like Packages.bz2; the Release and Release.gpg files have
timestamps eight hours or so earlier.  It looks to me as if the archive
run was interrupted part-way through, or failed.  CCing ftpmaster.

-- 
Colin Watson   [cjwat...@debian.org]


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110425092704.ga20...@master.debian.org

Wrong checksum on security.debian.org Squeeze source?

[Yves-Alexis Perez]

Hey,

it seems that there's an issue with the current security sources:

W: Failed to fetch
http://security.debian.org/dists/squeeze/updates/main/binary-amd64/Packages.bz2 
 Hash Sum mismatch

I get:

curl -s 
http://security.debian.org/dists/squeeze/updates/main/binary-amd64/Packages.bz2 
|sha256sum
4f3f81320ab7aee3d84772940cb5c8604d0b758f56839dddf327cb105bb24f74  -

and:

curl -s http://security.debian.org/dists/squeeze/updates/Release |grep 
main/binary-amd64/Packages.bz2 |tail -n1
 a5a1aa63068f6176c543a70d0ba3c8768fdc46b4306a630e417ac3ba7447030575040 
main/binary-amd64/Packages.bz2


Same thing seems to happen with the other packages files.

That looks a bit concerning, can someone with access investigate the
issue and report back?

Regards,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Re: ipv6 and security.debian.org

[Eelco Jepkema]

Michael Stone wrote:

On Wed, Jan 13, 2010 at 06:18:02PM -0600, Boyd Stephen Smith Jr. wrote:

IPv6 uses path MTU detection.


So does IPv4 these days, doesn't mean people don't break it. :-)

Mike Stone




Please ignore my original message.

I was certain that I'd checked my firewall wasn't causing the problem. 
But guess what, my firewall was the problem :(.


All is working as it should be and I am one step closer to understanding 
ipv6, thanks all for the help and suggestions.


Best regards,
Eelco Jepkema


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ipv6 and security.debian.org

[Michael Stone]

On Wed, Jan 13, 2010 at 06:18:02PM -0600, Boyd Stephen Smith Jr. wrote:

IPv6 uses path MTU detection.


So does IPv4 these days, doesn't mean people don't break it. :-)

Mike Stone


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ipv6 and security.debian.org

[Boyd Stephen Smith Jr.]

On Wednesday 13 January 2010 14:06:12 Michael Stone wrote:
> On Wed, Jan 13, 2010 at 08:59:18PM +0100, Martin Zobel-Helas wrote:
> >Can you give us a tcptraceroute6 to from your machine to security.d.o?
> 
> Also, can you download from other servers with ipv6? Could be local mtu
> issue if nothing works. (Ping would be ok, but large TCP downloads would
> flake out.)

IPv6 uses path MTU detection.  Unless you have something seriously screwy with 
your setup, MTUs (above the minimum) should not be an issue with IPv6.
-- 
Boyd Stephen Smith Jr.   ,= ,-_-. =.
b...@iguanasuicide.net  ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/\_/


signature.asc
Description: This is a digitally signed message part.

Re: ipv6 and security.debian.org

[Michael Stone]

On Wed, Jan 13, 2010 at 08:59:18PM +0100, Martin Zobel-Helas wrote:

Can you give us a tcptraceroute6 to from your machine to security.d.o?


Also, can you download from other servers with ipv6? Could be local mtu 
issue if nothing works. (Ping would be ok, but large TCP downloads would 
flake out.)


Mike Stone


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ipv6 and security.debian.org

[Martin Zobel-Helas]

Hi, 

On Wed Jan 13, 2010 at 17:37:20 +0100, Eelco Jepkema wrote:
> Hi,
> 
> I've recently been allocated an ipv6 block to test ipv6 with. This
> however has created a problem for me.
> 
> # ping6 security.debian.org
> PING security.debian.org(2001:a78::16) 56 data bytes
> 64 bytes from 2001:a78::16: icmp_seq=1 ttl=58 time=117 ms
> 64 bytes from 2001:a78::16: icmp_seq=2 ttl=58 time=58.3 ms

That looks good.

> 
> # dig -t  security.debian.org
> 
> ; <<>> DiG 9.5.1-P3 <<>> -t  security.debian.org
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40453
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;security.debian.org.   IN  
> 
> ;; ANSWER SECTION:
> security.debian.org.263     IN  2001:a78::16
> security.debian.org.263 IN  2001:8d8:2:1:6564:a62:0:2
> security.debian.org.263 IN  2001:a78::1a

That is european view from GeoDNS.

> 
> This seems to work then. Now however I do "apt-get update" but it hangs
> on security.debian.org.
> 
> Am i doing something wrong or is security.debian.org doing something
> wrong (i.e. not making the mirrors available on http ipv6)?
> 
> On a related note, as a workaround for this problem I went looking for a
> '-4' option (or alike) to force apt-get to use ipv4 but couldn't find
> one. Is such an APT config option available?

Can you give us a tcptraceroute6 to from your machine to security.d.o?

Greetings
Martin

-- 
 Martin Zobel-Helas   | Debian System Administrator
 Debian & GNU/Linux Developer   |   Debian Listmaster
 Public key http://zobel.ftbfs.de/5d64f870.asc   -   KeyID: 5D64 F870
 GPG Fingerprint:  5DB3 1301 375A A50F 07E7  302F 493E FB8E 5D64 F870


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: ipv6 and security.debian.org

[Michael Stone]

On Wed, Jan 13, 2010 at 05:37:20PM +0100, Eelco Jepkema wrote:

;; ANSWER SECTION:
security.debian.org.263 IN  2001:a78::16
security.debian.org.263 IN  2001:8d8:2:1:6564:a62:0:2
security.debian.org.263 IN  2001:a78::1a


This seems to work then. Now however I do "apt-get update" but it hangs
on security.debian.org.

Am i doing something wrong or is security.debian.org doing something
wrong (i.e. not making the mirrors available on http ipv6)?


In general, ipv6 security updates work fine (I've been using them for a 
while). Note that the server you get is determined by where you are:


;; ANSWER SECTION:
security.debian.org.32  IN  2001:4f8:8:36::6

so there might by a problem with your particular mirror; you might try 
contacting mirr...@debian.org.


Mike Stone


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

ipv6 and security.debian.org

[Eelco Jepkema]

Hi,

I've recently been allocated an ipv6 block to test ipv6 with. This
however has created a problem for me.

# ping6 security.debian.org
PING security.debian.org(2001:a78::16) 56 data bytes
64 bytes from 2001:a78::16: icmp_seq=1 ttl=58 time=117 ms
64 bytes from 2001:a78::16: icmp_seq=2 ttl=58 time=58.3 ms

# dig -t  security.debian.org

; <<>> DiG 9.5.1-P3 <<>> -t  security.debian.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40453
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;security.debian.org.   IN  AAAA

;; ANSWER SECTION:
security.debian.org.263 IN  2001:a78::16
security.debian.org.263 IN  2001:8d8:2:1:6564:a62:0:2
security.debian.org.263 IN  2001:a78::1a


This seems to work then. Now however I do "apt-get update" but it hangs
on security.debian.org.

Am i doing something wrong or is security.debian.org doing something
wrong (i.e. not making the mirrors available on http ipv6)?

On a related note, as a workaround for this problem I went looking for a
'-4' option (or alike) to force apt-get to use ipv4 but couldn't find
one. Is such an APT config option available?

Best regards,
Eelco Jepkema


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Problems with 130.89.175.54 (security.debian.org) host?

[Arthur de Jong]

On Tue, 2008-06-17 at 15:38 -0500, Bob Tanner wrote:
> Last several days I'm having problems accessing 130.89.175.54, a  
> server in the security.debian.org rotation.

Probably related to this:
http://lists.debian.org/debian-infrastructure-announce/2008/06/msg1.html
(kassia.debian.org is 130.89.175.54)

-- 
-- arthur - [EMAIL PROTECTED] - http://people.debian.org/~adejong --


signature.asc
Description: This is a digitally signed message part

Re: Problems with 130.89.175.54 (security.debian.org) host?

[Bob Tanner]

On Jun 17, 2008, at 8:04 PM, Roger Bumgarner wrote:


Can you be more specific?



Things are ok today. The specific issue was huge latency to this mirror.


Just seemed suspicious that multiple networks from multiple locations  
in the midwest (US) all had huge latency to this security mirror.


I appreciate the quick response.

--
Bob Tanner <[EMAIL PROTECTED]>   | Phone : (952)943-8700
http://www.real-time.com, Debian Linux, OSX | Fax   : (952)943-8500
Key fingerprint = F785 DDFC CF94 7CE8 AA87 3A9D 3895 26F1 0DDB E378









PGP.sig
Description: This is a digitally signed message part

Re: Problems with 130.89.175.54 (security.debian.org) host?

[Roger Bumgarner]

Can you be more specific?

Firefox directed me to a Debian Security information page.

Shambhala:~$ ping 130.89.175.54
PING 130.89.175.54 (130.89.175.54): 56 data bytes
64 bytes from 130.89.175.54: icmp_seq=0 ttl=50 time=185.875 ms
64 bytes from 130.89.175.54: icmp_seq=1 ttl=50 time=186.113 ms
64 bytes from 130.89.175.54: icmp_seq=2 ttl=50 time=188.160 ms
64 bytes from 130.89.175.54: icmp_seq=3 ttl=50 time=184.258 ms
64 bytes from 130.89.175.54: icmp_seq=4 ttl=50 time=187.370 ms
64 bytes from 130.89.175.54: icmp_seq=5 ttl=50 time=187.952 ms
64 bytes from 130.89.175.54: icmp_seq=6 ttl=50 time=200.035 ms
64 bytes from 130.89.175.54: icmp_seq=7 ttl=50 time=186.768 ms
64 bytes from 130.89.175.54: icmp_seq=8 ttl=50 time=189.537 ms
^C
--- 130.89.175.54 ping statistics ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max/stddev = 184.258/188.452/200.035/4.338 ms

Shambhala:~$ traceroute 130.89.175.54
traceroute to 130.89.175.54 (130.89.175.54), 64 hops max, 40 byte packets
 1  192.168.1.1 (192.168.1.1)  5.108 ms  2.272 ms  3.337 ms
 2  * * *
 3  ge-3-8-ur01.bellevue.wa.seattle.comcast.net (68.85.241.97)
167.503 ms  13.891 ms  47.210 ms
 4  te-9-3-ur02.bellevue.wa.seattle.comcast.net (68.86.96.70)  11.095
ms  11.783 ms  13.350 ms
 5  te-8-3-ar02.seattle.wa.seattle.comcast.net (68.86.96.73)  15.524
ms  22.418 ms  13.693 ms
 6  * te-9-1-ar02.seattle.wa.seattle.comcast.net (68.86.90.210)  18.534 ms *
 7  * * *
 8  TenGigabitethernet1-4.ar5.SEA1.gblx.net (64.209.111.93)  14.211 ms
 23.079 ms  22.895 ms
 9  64.209.105.158 (64.209.105.158)  185.252 ms  183.511 ms  187.024 ms
10  AF-500.XSR01.Amsterdam1A.surf.net (145.145.80.9)  198.528 ms
182.712 ms  195.694 ms
11  UTwente-router.Customer.surf.net (145.145.4.2)  192.900 ms
796.140 ms  200.269 ms
12  kassia.snt.utwente.nl (130.89.175.54)  185.290 ms  183.573 ms  184.676 ms

http://samspade.org/whois/130.89.175.54

I'm on the West Coast (Seattle WA area) and am having no problems,
however, a more specific description would help.

my remote shell (somewhere in the US?) has no problems.

[EMAIL PROTECTED]:~$ ping 130.89.175.54
PING 130.89.175.54 (130.89.175.54): 56 data bytes
64 bytes from 130.89.175.54: icmp_seq=0 ttl=56 time=128.403 ms
64 bytes from 130.89.175.54: icmp_seq=1 ttl=56 time=128.358 ms
64 bytes from 130.89.175.54: icmp_seq=2 ttl=56 time=128.259 ms
64 bytes from 130.89.175.54: icmp_seq=3 ttl=56 time=128.257 ms
64 bytes from 130.89.175.54: icmp_seq=4 ttl=56 time=128.537 ms
--- 130.89.175.54 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 128.257/128.362/128.537/0.464 ms
[EMAIL PROTECTED]:~$ traceroute 130.89.175.54
traceroute to 130.89.175.54 (130.89.175.54), 64 hops max, 40 byte packets
 1  fa-0-24.ucg-as29.tpa.sagonet.net (66.111.62.1)  1.97 ms  0.897 ms  0.807 ms
 2  ve20.core01a.tpa.sagonet.net (65.110.32.65)  0.579 ms  6.351 ms  0.651 ms
 3  ge-2-1-0.403.ar2.TPA1.gblx.net (64.213.33.49)  1.48 ms  1.51 ms
ge-2-1-0.402.ar2.TPA1.gblx.net (64.208.17.93)  1.113 ms
 4  ge1-4-10G.ar2.AMS1.gblx.net (67.17.110.17)  128.144 ms  127.972 ms
 128.116 ms
 5  64.209.105.158 (64.209.105.158)  126.513 ms  126.900 ms  127.126 ms
 6  AF-500.XSR01.Amsterdam1A.surf.net (145.145.80.9)  126.635 ms
126.824 ms  126.952 ms
 7  UTwente-router.Customer.surf.net (145.145.4.2)  124.643 ms
123.743 ms  124.203 ms
 8  kassia.snt.utwente.nl (130.89.175.54)  128.779 ms  128.382 ms  128.241 ms

I'd wager the problem is localized to you unless you're having some
sort of serious security related issue with the mirror that we need to
all be worried about.

Good luck :D

-rb

On Tue, Jun 17, 2008 at 1:38 PM, Bob Tanner <[EMAIL PROTECTED]> wrote:
> Last several days I'm having problems accessing 130.89.175.54, a server in
> the security.debian.org rotation.
>
> This is from systems across the midwest of America.
>
> Is there a known problem with this host?
>
> Just my network and systems?
>
> --
> Bob Tanner <[EMAIL PROTECTED]>   | Phone : (952)943-8700
> http://www.real-time.com, Debian Linux, OSX | Fax   : (952)943-8500
> Key fingerprint = F785 DDFC CF94 7CE8 AA87 3A9D 3895 26F1 0DDB E378
>
>
>
>
>
>
>
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Problems with 130.89.175.54 (security.debian.org) host?

[Bob Tanner]

Last several days I'm having problems accessing 130.89.175.54, a  
server in the security.debian.org rotation.


This is from systems across the midwest of America.

Is there a known problem with this host?

Just my network and systems?

--
Bob Tanner <[EMAIL PROTECTED]>   | Phone : (952)943-8700
http://www.real-time.com, Debian Linux, OSX | Fax   : (952)943-8500
Key fingerprint = F785 DDFC CF94 7CE8 AA87 3A9D 3895 26F1 0DDB E378









PGP.sig
Description: This is a digitally signed message part

Re: security.debian.org: MD5Sum mismatch

[Lupe Christoph]

On Friday, 2007-08-17 at 11:22:11 +0200, Lupe Christoph wrote:

> Failed to fetch 
> http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2
>   MD5Sum mismatch

> (I have only checked one server for the Release file, so I'm only
> assuming that the file is the same on all three servers.)

I should have:

Release-128.31.0.36: b6465c8fe5c1ecb2eb67d22100a78dd745569 
main/binary-i386/Packages.bz2
Release-212.211.132.250: 08acc34481f83825a7335fad039baeb445591 
main/binary-i386/Packages.bz2
Release-212.211.132.32: 08acc34481f83825a7335fad039baeb445591 
main/binary-i386/Packages.bz2

08acc34481f83825a7335fad039baeb4  Packages-128.31.0.36.bz2
08acc34481f83825a7335fad039baeb4  Packages-212.211.132.250.bz2
08acc34481f83825a7335fad039baeb4  Packages-212.211.132.32.bz2

128.31.0.36 aka steffani.debian.org is out of step. Please resync.

Lupe Christoph
-- 
| The whole aim of practical politics is to keep the populace alarmed|
| (and hence clamorous to be led to safety) by menacing it with an   |
| endless series of hobgoblins, all of them imaginary.   |
| H. L. Mencken, "In Defense of Women", 1918 |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org: MD5Sum mismatch

[Martin Zobel-Helas]

Hi, 

On Fri Aug 17, 2007 at 13:12:34 +0200, Lupe Christoph wrote:
> On Friday, 2007-08-17 at 10:46:32 +, [EMAIL PROTECTED] wrote:
> > On Fri, Aug 17, 2007 at 12:20:34PM +0200, Lupe Christoph wrote:
> 
> > > I *wish* those updates
> > > were atomic, but they probably arent'.
> 
> > why not though ?
> 
> Because they involve a lot of files. You would have to use two areas
> that contain alternating generations and switch the (http|ftp|rsync)
> servers between them. Only that switch can be atomic.
> 
> Doing this would make the operation of the server a lot more complicated
> and thus less robust.

Official debian mirrors usually should use 
rsync --delay-updates --delete-after
to avoid such problems. I am using that now for quite a while on
debian.netcologne.de, and didn't hear any user in the last years
complaining our mirror would be broken.

Greetings
Martin

-- 
[EMAIL PROTECTED] /root]# man real-life
No manual entry for real-life


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org: MD5Sum mismatch

[Lupe Christoph]

On Friday, 2007-08-17 at 10:46:32 +, [EMAIL PROTECTED] wrote:
> On Fri, Aug 17, 2007 at 12:20:34PM +0200, Lupe Christoph wrote:

> > I *wish* those updates
> > were atomic, but they probably arent'.

> why not though ?

Because they involve a lot of files. You would have to use two areas
that contain alternating generations and switch the (http|ftp|rsync)
servers between them. Only that switch can be atomic.

Doing this would make the operation of the server a lot more complicated
and thus less robust.

Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?   |
| Rockhound in "Armageddon", 1998, about the Space Shuttle   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org: MD5Sum mismatch

[paddy]

On Fri, Aug 17, 2007 at 12:20:34PM +0200, Lupe Christoph wrote:
> On Friday, 2007-08-17 at 12:12:38 +0200, Jonas Andradas wrote:
> 
> > how long have you noticed this mismatch?   I mean, an update on the mirror
> > could be taking place, and the Packages.bz2 file not yet been updated...
> 
> > On 8/17/07, Lupe Christoph <[EMAIL PROTECTED]> wrote:
> 
> > > Failed to fetch
> > > http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2
> > >   MD5Sum
> > > mismatch
> 
> You're right, this can be caused by an update. (I *wish* those updates
> were atomic, but they probably arent'.) 

why not though ?

Regards,
Paddy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org: MD5Sum mismatch

[Lupe Christoph]

On Friday, 2007-08-17 at 12:12:38 +0200, Jonas Andradas wrote:

> how long have you noticed this mismatch?   I mean, an update on the mirror
> could be taking place, and the Packages.bz2 file not yet been updated...

> On 8/17/07, Lupe Christoph <[EMAIL PROTECTED]> wrote:

> > Failed to fetch
> > http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2
> >   MD5Sum
> > mismatch

You're right, this can be caused by an update. (I *wish* those updates
were atomic, but they probably arent'.) It's been like that since noon
local time yesterday:

/dists/testing/updates/main/binary-i386/Packages.bz2 16-Aug-2007 12:51
/dists/testing/updates/Release   16-Aug-2007 12:48

I don't know which timezone these servers run in.

Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?   |
| Rockhound in "Armageddon", 1998, about the Space Shuttle   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org: MD5Sum mismatch

[Jonas Andradas]

Hello Lupe,

how long have you noticed this mismatch?   I mean, an update on the mirror
could be taking place, and the Packages.bz2 file not yet been updated...

Jonás.

On 8/17/07, Lupe Christoph <[EMAIL PROTECTED]> wrote:
>
> Hi!
>
> I can't apt-get update testing/updates main:
>
> Failed to fetch
> http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2
>   MD5Sum
> mismatch
>
> The Release file has this MD5 sum:
> b6465c8fe5c1ecb2eb67d22100a78dd745569 main/binary-i386/Packages.bz2
>
> The Packages.bz2 files from all three servers have the same, different
> sum:
> 08acc34481f83825a7335fad039baeb4  Packages-128.31.0.36.bz2
> 08acc34481f83825a7335fad039baeb4  Packages-212.211.132.250.bz2
> 08acc34481f83825a7335fad039baeb4  Packages-212.211.132.32.bz2
>
> (I have only checked one server for the Release file, so I'm only
> assuming that the file is the same on all three servers.)
>
> Is anybody capable of correcting this situation reading this list?
>
> Thank you,
> Lupe Christoph
> --
> | You know we're sitting on four million pounds of fuel, one nuclear |
> | weapon and a thing that has 270,000 moving parts built by the lowest   |
> | bidder. Makes you feel good, doesn't it?   |
> | Rockhound in "Armageddon", 1998, about the Space Shuttle   |
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
>

security.debian.org: MD5Sum mismatch

[Lupe Christoph]

Hi!

I can't apt-get update testing/updates main:

Failed to fetch 
http://security.debian.org/dists/testing/updates/main/binary-i386/Packages.bz2  
MD5Sum mismatch

The Release file has this MD5 sum:
 b6465c8fe5c1ecb2eb67d22100a78dd745569 main/binary-i386/Packages.bz2

The Packages.bz2 files from all three servers have the same, different
sum:
08acc34481f83825a7335fad039baeb4  Packages-128.31.0.36.bz2
08acc34481f83825a7335fad039baeb4  Packages-212.211.132.250.bz2
08acc34481f83825a7335fad039baeb4  Packages-212.211.132.32.bz2

(I have only checked one server for the Release file, so I'm only
assuming that the file is the same on all three servers.)

Is anybody capable of correcting this situation reading this list?

Thank you,
Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?   |
| Rockhound in "Armageddon", 1998, about the Space Shuttle   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: where'd security.debian.org go?

[Jim Popovitch]

On Thu, 2007-06-14 at 00:32 -0400, Jim Popovitch wrote:
> What's up with security.debian.org?   Apt is missing it. ;-)

Of course, as soon as I send the email

disregard previous email, apologies.

-Jim P.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

where'd security.debian.org go?

[Jim Popovitch]

What's up with security.debian.org?   Apt is missing it. ;-)

-Jim P.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

security.debian.org - local repository

[Johann Spies]

I have previously kept an copy of security.debian.org on our local
ftp-server and updated it twice a day.  

The rsync-script does not work any longer (and I have not checked since
when).  Is there a login required now or is there no longer a
rsync-service available from there?

Regards
Johann
-- 
Johann Spies  Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

 "Blessed is the man that trusteth in the LORD, and
  whose hope the LORD is."Jeremiah 17:7


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-03-02 23:09:28, schrieb Florian Weimer:

> I typically use an Exim .forward file which invokes a special script
> using "pipe".  The script creates a file, and a cron job which runs
> periodically checks for the existence of that file and performs the
> desired action when it exists.  This means that DSA sent in quick
> succession only trigger the action once.

With no security problems enablichn Mailservices on all machines in
the network?  I have installed fetchmail, procmail and my script on my
local mirror which update my local mirror from which I am installing.

In the same time it saves bandwidth.

Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-03-02 20:06:48, schrieb Florian Weimer:

> You can use the DSA posting as a trigger.

This is, what I allready do...

My local mirror check the mailbox all 5 minutes and if a security
update comes in it download immediatly...

Currently I am writing a new script which will do this with

<[EMAIL PROTECTED]>

which let me download and update my mirror faster without bothering
the Debian server.  The Packages.gz are generated localy.  Once a
week I run a check, which download the original Packages.gz and
Sources.gz to check, whether I have all packages or not...
Sometimes E-Mails are lost between Debian and my Mailbox

Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* Michelle Konzack:

> 1)  Download Packages.gz/Sources.gz and check for changes

I think you should look at the Release file first, at least if you
don't use If-Modified-Since or similar conditional requests.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.28.1824 +0100]:
> I can not use rsync because I have a different directory structure AND
> I do not want to kill one of the security mirrors of debian, fow often
> should I poll the Packages.gz/Sources.gz for changes daily?

Once.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
military justice is to justice what military music is to music.
   -- groucho marx


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-02-27 15:31:20, schrieb martin f krafft:
> also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.25.2036 +0100]:
> > debian-security is allready mirrored by some servers including
> > 
> > <ftp://ftp.de.debian.org/debian-security/>
> 
> You are not really supposed to use those as they are pulled once
> daily only, and security is a time-critical domain where sometimes
> it's very important to have updates without any delays.

Right and some Servers hosting /debian-security/ are some days behind.

I can not use rsync because I have a different directory structure AND
I do not want to kill one of the security mirrors of debian, fow often
should I poll the Packages.gz/Sources.gz for changes daily?

Please note, that my own update script does:

1)  Download Packages.gz/Sources.gz and check for changes
2)  Create list of files to download
3)  Download the stuff
4)  Delete old packages localy
5)  create new Packages.gz/Sources.gz

I have encountered this works faster and more effectiv then using rsync.

Currently I poll <ftp://security.debian.org/> only once a day.

Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Moritz Muehlenhoff]

Florian Weimer wrote:
>> Usually, cron-apt has already noticed that there is an update
>> available before the DSA posting comes in.
>
> This is by design; the DSA is delayed until the archive has been
> updated properly (which means that it has arrived at all mirrors).

That's because the included md5sums are generated from the files in the
archive.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Tomasz Papszun]

On Mon, 06 Mar 2006 at 10:49:45 +, paddy wrote:
> On Fri, Mar 03, 2006 at 04:55:23PM +0100, Javier Fernández-Sanguino Pe?a 
> wrote:
> > 
> > I don't believe it does. Cron-apt is a pull mechanism (download the
> > latest packages, check if there are upgrades and notify the admin). 
> > A mail filter which parses the DSAs and tells people to update is a push
> > mechanism. 
> > 
> > Notice that in the later (push) you could have somebody review if the
> > update is critical enough, or only tell systems to upgrade once the patch
> > has been tested internally. That seems easier to me than, in the pull 
> > system,
> > set up an intermediate mirror of security.debian.org with *approved* 
> > updates,
> > have the systems update automatically and have a sysadmin move the updates
> > from the official mirror over to that internal mirror based on whether the
> > update is critical or not.
> > 
> > Also, in my mind's view, a push mechanism is bound to be more effective than
> > probing the security mirror daily and could also be capable of narrowing the
> > time between patch release and installation (if automated) since you don't
> > have to wait for a given point in time to make the check.
> 
> Perhaps freshclam's dns based mechanism may also be of interest as a point 
> of comparison ? (I'm sorry I'm not able to describe it in detail off the top
> of my head, but the paralell seems obvious)
> 

In case it's of any help, there's some documentation on how ClamAV
mirrors are set - at  http://www.clamav.net/doc/mirrors/ .

HTH
-- 
 Tomasz PapszunSysAdm @ TP S.A. Lodz, Poland| And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[paddy]

On Fri, Mar 03, 2006 at 04:55:23PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Fri, Mar 03, 2006 at 11:13:52AM +0100, Marc Haber wrote:
> > On Fri, Mar 03, 2006 at 11:11:30AM +0100, Rolf Kutz wrote:
> > > You can trigger the update via ssh or wget.
> > 
> > The entire scheme strikes me as reinventing a mechanism which has been
> > existing for years now, being called cron-apt.
> 
> I don't believe it does. Cron-apt is a pull mechanism (download the
> latest packages, check if there are upgrades and notify the admin). 
> A mail filter which parses the DSAs and tells people to update is a push
> mechanism. 
> 
> Notice that in the later (push) you could have somebody review if the
> update is critical enough, or only tell systems to upgrade once the patch
> has been tested internally. That seems easier to me than, in the pull system,
> set up an intermediate mirror of security.debian.org with *approved* updates,
> have the systems update automatically and have a sysadmin move the updates
> from the official mirror over to that internal mirror based on whether the
> update is critical or not.
> 
> Also, in my mind's view, a push mechanism is bound to be more effective than
> probing the security mirror daily and could also be capable of narrowing the
> time between patch release and installation (if automated) since you don't
> have to wait for a given point in time to make the check.

Perhaps freshclam's dns based mechanism may also be of interest as a point 
of comparison ? (I'm sorry I'm not able to describe it in detail off the top
of my head, but the paralell seems obvious)

Regards,
Paddy
-- 
Perl 6 will give you the big knob. -- Larry Wall


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Javier Fernández-Sanguino Peña]

On Fri, Mar 03, 2006 at 11:13:52AM +0100, Marc Haber wrote:
> On Fri, Mar 03, 2006 at 11:11:30AM +0100, Rolf Kutz wrote:
> > You can trigger the update via ssh or wget.
> 
> The entire scheme strikes me as reinventing a mechanism which has been
> existing for years now, being called cron-apt.

I don't believe it does. Cron-apt is a pull mechanism (download the
latest packages, check if there are upgrades and notify the admin). 
A mail filter which parses the DSAs and tells people to update is a push
mechanism. 

Notice that in the later (push) you could have somebody review if the
update is critical enough, or only tell systems to upgrade once the patch
has been tested internally. That seems easier to me than, in the pull system,
set up an intermediate mirror of security.debian.org with *approved* updates,
have the systems update automatically and have a sysadmin move the updates
from the official mirror over to that internal mirror based on whether the
update is critical or not.

Also, in my mind's view, a push mechanism is bound to be more effective than
probing the security mirror daily and could also be capable of narrowing the
time between patch release and installation (if automated) since you don't
have to wait for a given point in time to make the check.

Florian, in any case, I see no mentioning of where those scripts being
available. Are they?

Regards

Javier


signature.asc
Description: Digital signature

Re: first A record of security.debian.org extremely slow

[Marc Haber]

On Fri, Mar 03, 2006 at 11:11:30AM +0100, Rolf Kutz wrote:
> You can trigger the update via ssh or wget.

The entire scheme strikes me as reinventing a mechanism which has been
existing for years now, being called cron-apt.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Rolf Kutz]

* Quoting Marc Haber ([EMAIL PROTECTED]):

> On Thu, Mar 02, 2006 at 11:09:28PM +0100, Florian Weimer wrote:
> > 
> > I typically use an Exim .forward file which invokes a special script
> > using "pipe".  The script creates a file, and a cron job which runs
> > periodically checks for the existence of that file and performs the
> > desired action when it exists.  This means that DSA sent in quick
> > succession only trigger the action once.
> 
> So you have debian-security subscribed on all systems, and all systems
> need to run a publicly reachable mail system?

You can trigger the update via ssh or wget.

- Rolf


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Marc Haber]

On Thu, Mar 02, 2006 at 11:09:28PM +0100, Florian Weimer wrote:
> * Marc Haber:
> > How would you implement the automatism to trigger the update on the
> > incoming e-mail?
> 
> I typically use an Exim .forward file which invokes a special script
> using "pipe".  The script creates a file, and a cron job which runs
> periodically checks for the existence of that file and performs the
> desired action when it exists.  This means that DSA sent in quick
> succession only trigger the action once.

So you have debian-security subscribed on all systems, and all systems
need to run a publicly reachable mail system?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Steve Kemp]

On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote:

> How would you implement the automatism to trigger the update on the
> incoming e-mail?

  procmail, matching on new mails to the debian-security-announce
 mailing list ..

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Horst Pflugstaedt]

On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote:
> On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote:
> > * Geoff Crompton:
> > > I'm also wondering if security.debian.org has enough resources for every
> > > single debian box on the planet checking it every X minutes.
> > 
> > You can use the DSA posting as a trigger.
> 
> Usually, cron-apt has already noticed that there is an update
> available before the DSA posting comes in.
> 
> How would you implement the automatism to trigger the update on the
> incoming e-mail?

How about a procmail rule?
There ought to be several ways for an implementation, each one will have
to rely on your mailserver or procmail positively identifying a
security-announcement.

then you can
- make the procmail rule call aptitude update && aptitude upgrade
  directly
- save the mail to a special place and make some other program trigger
  the update (via a db or perhaps FAM or a cron-job)

Greetings
Horst

-- 
The income tax has made more liars out of the American people than golf
has.  Even when you make a tax form out on the level, you don't know
when it's through if you are a crook or a martyr.
-- Will Rogers


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* Marc Haber:

> On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote:
>> * Geoff Crompton:
>> > I'm also wondering if security.debian.org has enough resources for every
>> > single debian box on the planet checking it every X minutes.
>> 
>> You can use the DSA posting as a trigger.
>
> Usually, cron-apt has already noticed that there is an update
> available before the DSA posting comes in.

This is by design; the DSA is delayed until the archive has been
updated properly (which means that it has arrived at all mirrors).

> How would you implement the automatism to trigger the update on the
> incoming e-mail?

I typically use an Exim .forward file which invokes a special script
using "pipe".  The script creates a file, and a cron job which runs
periodically checks for the existence of that file and performs the
desired action when it exists.  This means that DSA sent in quick
succession only trigger the action once.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Marc Haber]

On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote:
> * Geoff Crompton:
> > I'm also wondering if security.debian.org has enough resources for every
> > single debian box on the planet checking it every X minutes.
> 
> You can use the DSA posting as a trigger.

Usually, cron-apt has already noticed that there is an update
available before the DSA posting comes in.

How would you implement the automatism to trigger the update on the
incoming e-mail?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michael Stone <[EMAIL PROTECTED]> [2006.03.02.2032 +0100]:
> The explanation is far simpler--debian *does* have mirrors of 
> security.debian.org. At the moment I see three hosts in the rotation. 

Yeah, push, not pull mirrors.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"if one cannot enjoy reading a book over and over again,
 there is no use in reading it at all."
-- oscar wilde


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.02.2006 +0100]:
> By default, package authenticity is not validated in sarge and
> earlier releases.  From a security POV, it's better to download
> those updates from a limited set of well-maintained servers. It
> reduces the attack surface somewhat.

Sure it does. But it cannot be the reason why there are no
officially-endorsed mirrors -- I'd just upload my trojans to sarge's
archive with a higher version number then.

http://www.debian.org/security/faq#mirror

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"doesn't he know who i think i am?"
 -- phil collins


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Michael Stone]

On Thu, Mar 02, 2006 at 08:06:07PM +0100, Florian Weimer wrote:

* martin f. krafft:

Why then do you think security.d.o is not mirrored by Debian?


Our mirror network is not actually well-known for its integrity (think


The explanation is far simpler--debian *does* have mirrors of 
security.debian.org. At the moment I see three hosts in the rotation. 
Why not add more? Well, what problem does that solve? 


--
Michael Stone


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* Geoff Crompton:

> I'm also wondering if security.debian.org has enough resources for every
> single debian box on the planet checking it every X minutes.

You can use the DSA posting as a trigger.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* martin f. krafft:

>> One day more or less doesn't really matter.  So far, Debian security
>> updates predated widespread (semi-)automated exploits by weeks.
>
> Why then do you think security.d.o is not mirrored by Debian?

Our mirror network is not actually well-known for its integrity (think
paris.avi).  By default, package authenticity is not validated in
sarge and earlier releases.  From a security POV, it's better to
download those updates from a limited set of well-maintained servers.
It reduces the attack surface somewhat.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Florian Weimer <[EMAIL PROTECTED]> [2006.03.01.2255 +0100]:
> > You are not really supposed to use those as they are pulled once
> > daily only, and security is a time-critical domain where sometimes
> > it's very important to have updates without any delays.
> 
> One day more or less doesn't really matter.  So far, Debian security
> updates predated widespread (semi-)automated exploits by weeks.

Why then do you think security.d.o is not mirrored by Debian?

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
security at micro$oft: how do we secure a billion dollar profit?


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Geoff Crompton]

Florian Weimer wrote:
> * martin f. krafft:
> 
> 
>>You are not really supposed to use those as they are pulled once
>>daily only, and security is a time-critical domain where sometimes
>>it's very important to have updates without any delays.
> 
> 
> One day more or less doesn't really matter.  So far, Debian security
> updates predated widespread (semi-)automated exploits by weeks.
> 
> 

I'm also wondering if security.debian.org has enough resources for every
single debian box on the planet checking it every X minutes.

-- 
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Florian Weimer]

* martin f. krafft:

> You are not really supposed to use those as they are pulled once
> daily only, and security is a time-critical domain where sometimes
> it's very important to have updates without any delays.

One day more or less doesn't really matter.  So far, Debian security
updates predated widespread (semi-)automated exploits by weeks.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michelle Konzack <[EMAIL PROTECTED]> [2006.02.25.2036 +0100]:
> debian-security is allready mirrored by some servers including
> 
> 

You are not really supposed to use those as they are pulled once
daily only, and security is a time-critical domain where sometimes
it's very important to have updates without any delays.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
no micro$oft components were used
in the creation or posting of this email.
therefore, it is 100% virus free
and does not use html by default (yuck!).


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Michelle Konzack]

Am 2006-02-20 14:28:12, schrieb Michal Sabala:

> I'm considering starting to mirror security. I don't see a reason why
> security repository shouldn't be mirrored, while in reality tampering with
> packages on _any_ repository has the same outcome.

debian-security is allready mirrored by some servers including



so you are not allone.  Oh yes, I am mirroring d-s too plus the
rest around 600 GByte currently including DVD and CD's.

It will be time for WD to pull out 300 GByte Raptor SATA's.
I have only 6 x 150 GByte (Raid5) and 2 x 36 GByte (Raid1)

Greetings
Michelle Konzack
Systemadministrator


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSM LinuxMichi
0033/3/8845235667100 Strasbourg/France   IRC #Debian (irc.icq.com)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org extremely slow

[Kurt Roeckx]

On Mon, Feb 20, 2006 at 06:25:47PM -0800, Michael Sabala wrote:
> > > host -t a security.debian.org
> > > security.debian.org has address 82.94.249.158   <- slow
> 
> I checked traceroute to 82.94.249.158 from two different ISPs.
> 
> When the route goes through:
>   ameritech->sbcglobal->he.net->xs4all.net then it is fine. (15 hops)
> 
> If it goes through:
>   lincon.net->sprintlink->xs4all then I get low throughput. (18 hops)
> 
> Can somebody who previously reported problems apt-get'ing from 82.94.249.158
> mention their route?

 6  tartini.debian.org (82.94.249.158)  4.631 ms  4.563 ms  4.513 ms
rtt min/avg/max/mdev = 4.374/4.600/4.780/0.102 ms

And I get something like 1 KB/s.

On the other hand:
 5  ftp2.xs4all.nl (194.109.21.26)  5.506 ms  6.631 ms  6.618 ms
rtt min/avg/max/mdev = 4.362/4.617/5.242/0.218 ms

Gives me > 5 MB/s

I really think it's tartini that has the problem, and not xs4all.


Kurt


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Robert Lemmen]

On Tue, Feb 21, 2006 at 09:23:07AM +, Brett Parker wrote:
> *blink* - erm, just out of interest, how does this help? This is just
> going to stop packets from going to that IP, it's not going to stop
> things resolving to that IP, so instead of getting a slow connection
> you're just going to get a connection refused... seems like an odd way
> of doing things - maybe it would be better to use a local caching
> nameserver that you can configure to filter out that IP when there is
> more than one A record available instead? (I can't think of a simple way
> of doing that off the top of my head, though)

it is an odd way, but it is simple and it works because apt will use the
other records if the blocked one fails (i do the same). messing with
your /etc/hosts isn't much better...

cu  robert

-- 
Robert Lemmen   http://www.semistable.com 


signature.asc
Description: Digital signature

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Brett Parker <[EMAIL PROTECTED]> [2006.02.21.1023 +0100]:
> *blink* - erm, just out of interest, how does this help? This is just
> going to stop packets from going to that IP, it's not going to stop
> things resolving to that IP, so instead of getting a slow connection
> you're just going to get a connection refused...

... at which point APT will try the next record IIRC. I hope I am
not misremembering this...

> seems like an odd way of doing things - maybe it would be better
> to use a local caching nameserver that you can configure to filter
> out that IP when there is more than one A record available
> instead? (I can't think of a simple way of doing that off the top
> of my head, though)

It also bears the risk of hardcoding and forgetting, or missing an
update.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"if confronted with a choice between all the truth in god's right hand
 and the ever live struggle for truth, coupled with eternal error, in
 god's left, i would choose the left."
   -- gotthold lessing


signature.asc
Description: Digital signature (GPG/PGP)

Re: first A record of security.debian.org extremely slow

[Brett Parker]

On Tue, Feb 21, 2006 at 09:18:16AM +0100, martin f krafft wrote:
> also sprach Michal Sabala <[EMAIL PROTECTED]> [2006.02.20.2328 +0100]:
> > host -t a security.debian.org
> > security.debian.org has address 82.94.249.158   <- slow
> 
> Please see 
>   http://lists.debian.org/debian-security/2006/02/msg00041.html
> 
> > Editing /etc/hosts to contain:
> > 128.101.80.133 security.debian.org
> > 
> > solves the problem. Our network is working properly BTW.
> 
> Please do not do this. A better fix is to REJECT 82.94.249.158/32
> with iptables:
> 
>   iptables -I OUTPUT -d 82.94.249.158/32 -j REJECT
> 
> (amend as needed). This leaves a round-robin of two servers rather
> than everyone banging on 128.101.80.133 (or the other one).

*blink* - erm, just out of interest, how does this help? This is just
going to stop packets from going to that IP, it's not going to stop
things resolving to that IP, so instead of getting a slow connection
you're just going to get a connection refused... seems like an odd way
of doing things - maybe it would be better to use a local caching
nameserver that you can configure to filter out that IP when there is
more than one A record available instead? (I can't think of a simple way
of doing that off the top of my head, though)

Cheers,
Brett.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: security.debian.org extremely slow

[A-Kaser]

82.94.249.158


5 hops, avg 5ms
I'm in Belgium and their server is in Netherland.
The debian security is too small to know if the file transfert is  
slow or not.




128.101.80.133

13hops, avg 109ms


194.109.137.218

7hops, avg 5ms




regards,
Francois


On 21 Feb 2006, at 03:25, Michael Sabala wrote:


host -t a security.debian.org
security.debian.org has address 82.94.249.158   <- slow


I checked traceroute to 82.94.249.158 from two different ISPs.

When the route goes through:
  ameritech->sbcglobal->he.net->xs4all.net then it is fine. (15 hops)

If it goes through:
  lincon.net->sprintlink->xs4all then I get low throughput. (18 hops)

Can somebody who previously reported problems apt-get'ing from  
82.94.249.158

mention their route?

It looks like I'm having network problems somewhere along the way.  
Sorry for

the noise :)

Thanks, Mike.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact  
[EMAIL PROTECTED]






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[martin f krafft]

also sprach Michal Sabala <[EMAIL PROTECTED]> [2006.02.20.2328 +0100]:
> host -t a security.debian.org
> security.debian.org has address 82.94.249.158   <- slow

Please see 
  http://lists.debian.org/debian-security/2006/02/msg00041.html

> Editing /etc/hosts to contain:
> 128.101.80.133 security.debian.org
> 
> solves the problem. Our network is working properly BTW.

Please do not do this. A better fix is to REJECT 82.94.249.158/32
with iptables:

  iptables -I OUTPUT -d 82.94.249.158/32 -j REJECT

(amend as needed). This leaves a round-robin of two servers rather
than everyone banging on 128.101.80.133 (or the other one).

> Can somebody please take a look at 82.94.249.158 host/net please, please,
> please?

FWIW, this is not the list for such requests.
[EMAIL PROTECTED] are responsible for that.

> I'm considering starting to mirror security. I don't see a reason
> why security repository shouldn't be mirrored, while in reality
> tampering with packages on _any_ repository has the same outcome.

This has been discussed at length. Basically it's less to do with
tampering than with timeliness.

> Mike (not on the mailing list, please Cc).

Please set your Mail-Followup-Header correctly.

Cheers,

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft <[EMAIL PROTECTED]>
: :'  :proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
"glaube heißt nicht wissen wollen, was wahr ist."
 - friedrich nietzsche


signature.asc
Description: Digital signature (GPG/PGP)

Re: security.debian.org extremely slow

[Robert Lemmen]

On Mon, Feb 20, 2006 at 06:25:47PM -0800, Michael Sabala wrote:
> It looks like I'm having network problems somewhere along the way. Sorry for
> the noise :)

no, you are not having problems along the way, or you are not the only
one. me and madduck both experience the same problem from machines with
otherwise good network connection (colocated). and at least one other
person that i can't remember had the same problems too. it does indeed
look as if tartini is a bit flaky...

cu  robert

-- 
Robert Lemmen   http://www.semistable.com 


signature.asc
Description: Digital signature

Re: security.debian.org extremely slow

[Michael Sabala]

> > host -t a security.debian.org
> > security.debian.org has address 82.94.249.158   <- slow

I checked traceroute to 82.94.249.158 from two different ISPs.

When the route goes through:
  ameritech->sbcglobal->he.net->xs4all.net then it is fine. (15 hops)

If it goes through:
  lincon.net->sprintlink->xs4all then I get low throughput. (18 hops)

Can somebody who previously reported problems apt-get'ing from 82.94.249.158
mention their route?

It looks like I'm having network problems somewhere along the way. Sorry for
the noise :)

Thanks, Mike.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: first A record of security.debian.org extremely slow

[Michal Sabala]

--- Rolf Kutz <[EMAIL PROTECTED]> wrote:

> * Quoting Michal Sabala ([EMAIL PROTECTED]):
> 
> > For the past month or so security updates have been very slow for us
> > (~5KB/sec). It appears that the first A record for the
> > security.debian.org is the problem.
> > 
> > host -t a security.debian.org
> > security.debian.org has address 82.94.249.158   <- slow
> > security.debian.org has address 128.101.80.133
> > security.debian.org has address 194.109.137.218
> 
> The order of the dns answers is random, IIRC:
> 
> ~$ dig +short security.debian.org A
> 128.101.80.133
> 194.109.137.218
> 82.94.249.158

Yes, I meant "the first of the records returned in the instance of host
below"

When doing updates, apt-get will connect to different A records of
security.debian.org, but the connection to 82.94.249.158 will always be the
slowest (at 5KB/sec) resulting in very long update times.

I saw that others also reported problems with tartini.debian.org
(82.94.249.158). Was anyone able to find out the cause? Where should one 
file a bug?

Thank You,

Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]