Re: apt-cacher in main
Reinhard Tartler wrote: > > http://packages.debian.org/sid/apt-cacher-ng > > But I have not tried it yet. It will be interesting to follow its progress. apt-cacher-ng (presumably "next generation") "is more than simple rewrite of Apt-Cacher. It was redesigned from scratch and is written in C++ with main focus on maximizing throughput with low requirements on system resources." It is going to be in hardy, in universe. Chnagelog is here: http://changelogs.ubuntu.com/changelogs/pool/universe/a/apt-cacher-ng/apt-cacher-ng_0.1.1-1/changelog I will be going forward with proposing apt-cacher for main in Hardy as its a LTS release. I'll be writing up the MIR this week. Cheers, Fabian -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
Oliver Grawert <[EMAIL PROTECTED]> writes: > searching for package proxy solutions in apt-cache reveals: > > approx - caching proxy server for Debian archive files > apt-cacher - caching proxy system for Debian package and source files > apt-proxy - Debian archive proxy and partial mirror builder > > does anyone know more tools like the above ones that fulfill the same > need so we can take a look at them as well ? http://packages.debian.org/sid/apt-cacher-ng But I have not tried it yet. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 pgpCzgPHvhT9E.pgp Description: PGP signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
Fabian Rodriguez wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: RIPEMD160 > > Sam Tygier wrote: >> it looks like they have got the security side covered. >> >> "Now, one might think this could potentially pose a security threat >> as everyone can offer and distribute debs without any >> authentication whatsoever. This is not the case as we are not yet >> caching the package lists or pdiffs, which are PGP-signed and >> contain MD5, SHA1 and SHA256 checksums of the packages. But due to >> the trusted PGP signatures, caching package lists shouldn't be an >> issue." >> >> Is there any reason this would not be sufficient? > I see many ways to trick someone into installing newer versions of > existing common packages that include malicious files, using > apt-zeroconf. You'd be surprised how many people will click through > any amount of security warnings if approached with authority by a > neighbor. An Internet cafe comes to mind, but many other public places > would also serve this purpose. You'd guess I love being paranoid about > this. As I understand all the computers still get the package list from the ubuntu repo. it is only the packages that they get from local peers. there is no way the local peers can tamper with the package list. the package list contains the MD5 sum of packages. so if a local peer claims to have a package, and gives you something that has been tampered, then apt will reject it. sam -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
There is another problem with apt-zeroconf... it relies on Avahi. Avahi has lots of environments that it does not work in. In my office, the machines are not seeing each other. When we had a meeting at the Google (Sketchup) offices in Boulder, Avahi did not work correctly their either. I don't think its a bug in the software, but instead it has to do with the way the routers are set up. Before turning on anything like that, you would need to insure that it would be reliable. That is why I proposed the "scan" technique. If the scan fails, either due to protocol issues or the fact that there is no server, it fails over to the old way. @Fabian: I agree with you to a point. Auto-detection can be problematic. But I suggest auto-detection like compiz auto-detects. If its not there, don't force it. Or even better yet... set up the always works version, but if I can reliably detect a better way, reconfigure to that better way by default. Decreasing bandwidth without having to remembering to configure every new client is one of those features that make good buzwords with IT managers. Canonical has made statements indicating that they want to go after the corporate desktop... this is exactly the type of feature that plays well with that demographic. -- Kevin Fries Senior Linux Engineer Computer and Communications Technology, Inc A Division of Japan Communications Inc. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
Hi Oliver, On Fri, Nov 16, 2007 at 12:15:34PM +0100, Oliver Grawert wrote: > searching for package proxy solutions in apt-cache reveals: > > apt-proxy - Debian archive proxy and partial mirror builder I've used apt-proxy for some time, but switch to apt-cacher. apt-proxy would hang quiet often without any obvious reason. > would a general proxy solution that includes .deb caching as well a > better way to address the task ? squid can also be used as a proxy (for debs and general caching). It's already in main. The only advantage that apt-cacher has over squid is that it knows the debs structure and when files should be deleted (superseeded in the archive instead of time based). OTOH squid is a more general caching proxy which can also be used to cache http content. Oliver, is there a reason why education don't use squid ? I guess they would be interested in caching all the content they can. -- Mathias signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
hi,
Am Donnerstag, den 15.11.2007, 22:59 + schrieb Matt Zimmerman:
> On Thu, Nov 15, 2007 at 01:05:01PM +0100, Oliver Grawert wrote:
> > in edubuntu we face the fact that governments and schools start rolling
> > out really huge deployments in the near future (see macedonia with a
> > total of 185000 systems for example), if you maintain 5000 seats in one
> > school or 1 in one municipality it comes in pretty handy to have an
> > apt-cacher in your network to not saturate your internet connection for
> > updates. so i'd like to second the main inclusion.
>
> We should be wary of both a) jumping from broad requirements ("large
> deployments would benefit from local redistribution of updates") to actions
> ("let's put apt-cacher in main") and b) focusing too much on niche use cases
> when there are issues facing a large number of users which need to be
> addressed.
i think the huge deployments are a fact and we will see more of them
(especially in the edu sector). while i agree that we should review
other options as well, it seems that apt-cacher is a tool already used
by many of our users and apparently it even made its way through support
requests onto this list :)
without knowing technical drawbacks/advantages of the other tools i'd
say its a good candidate from a "give users what they ask for" POV
(i know many of the existing bigger edubuntu setups use it today to save
bandwith).
searching for package proxy solutions in apt-cache reveals:
approx - caching proxy server for Debian archive files
apt-cacher - caching proxy system for Debian package and source files
apt-proxy - Debian archive proxy and partial mirror builder
does anyone know more tools like the above ones that fulfill the same
need so we can take a look at them as well ?
would a general proxy solution that includes .deb caching as well a
better way to address the task ?
ciao
oli
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
On Thu, Nov 15, 2007 at 01:05:01PM +0100, Oliver Grawert wrote:
> in edubuntu we face the fact that governments and schools start rolling
> out really huge deployments in the near future (see macedonia with a
> total of 185000 systems for example), if you maintain 5000 seats in one
> school or 1 in one municipality it comes in pretty handy to have an
> apt-cacher in your network to not saturate your internet connection for
> updates. so i'd like to second the main inclusion.
We should be wary of both a) jumping from broad requirements ("large
deployments would benefit from local redistribution of updates") to actions
("let's put apt-cacher in main") and b) focusing too much on niche use cases
when there are issues facing a large number of users which need to be
addressed.
If this is worth addressing, then it is worth thinking through and
considering other possible solutions.
--
- mdz
--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
On Thu, Nov 15, 2007 at 12:53:14PM -0500, Fabian Rodriguez wrote: > If this was actually checked against a local web of trust (like > OpenPGP or Gaim-OTR keys or else) it may become interesting. But who > uses that "safely" ? :) All packages downloaded by APT are authenticated using PGP keys provided in the default install. While it's possible to override this, it's also possible to install untrusted packages in all sorts of other ways, so people who ignore security warnings are already in bad shape regardless of whether they're using something like apt-cacher or not. -- - mdz -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Kevin Fries wrote: > I am not sure it needs to be moved. But, what would be totally cool > is if the installer scanned the local network on install and > configured apt-cacher in sources.list instead of the normal repos > by default when if finds a server. That would be a terrific > usability upgrade. I believe this blueprint addresses that: https://blueprints.edge.launchpad.net/ubuntu/+spec/apt-service-discovery > > But, since only one server needs it, is there an advantage to > moving it from Universe? It not like its in Multiverse which is > turned off by default. If I remember correctly, isn't Universe > turned on by default on initial install? Moving this to main would also open the door to possible inclusion in the LiveCD or Server install CD. Actually, DVD images will make better use of this. In low bandwidth environments the "server" may be another neighboring laptop or desktop. Even if universe is on by default, this single package would mean much faster mass installs when you have a DVD image, for example. Cheers, Fabian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPF9ffUcTXFrypNURA+G1AJ4vOC1WfijLnMUNMaZsx0iAHa834gCeJF+y XB7WhI+CDdggxDlu8Bn5rQ8= =PajS -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
Fabian Rodriguez wrote: > apt-zeroconf is actually a replacement for apt-cacher, not a > complement to it, according to its site. I think we already know the > answer to "enabled by default" autodiscovery / other networking > services. I would have some trust issues using apt-zeroconf, but > that's just me :) > > F. it looks like they have got the security side covered. "Now, one might think this could potentially pose a security threat as everyone can offer and distribute debs without any authentication whatsoever. This is not the case as we are not yet caching the package lists or pdiffs, which are PGP-signed and contain MD5, SHA1 and SHA256 checksums of the packages. But due to the trusted PGP signatures, caching package lists shouldn't be an issue." Is there any reason this would not be sufficient? The only thing I can imagine is some sort of DOS attack by sending a large number of requests to one machine. Maybe checking for shared packages on the network could be enabled by default, but sharing disabled. The option to enable sharing could be in System -> Administration -> Software Sources Sam -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Sam Tygier wrote: > it looks like they have got the security side covered. > > "Now, one might think this could potentially pose a security threat > as everyone can offer and distribute debs without any > authentication whatsoever. This is not the case as we are not yet > caching the package lists or pdiffs, which are PGP-signed and > contain MD5, SHA1 and SHA256 checksums of the packages. But due to > the trusted PGP signatures, caching package lists shouldn't be an > issue." > > Is there any reason this would not be sufficient? I see many ways to trick someone into installing newer versions of existing common packages that include malicious files, using apt-zeroconf. You'd be surprised how many people will click through any amount of security warnings if approached with authority by a neighbor. An Internet cafe comes to mind, but many other public places would also serve this purpose. You'd guess I love being paranoid about this. > The only thing I can imagine is some sort of DOS attack by sending > a large number of requests to one machine. Maybe checking for > shared packages on the network could be enabled by default, but > sharing disabled. The option to enable sharing could be in System > -> Administration -> Software Sources If this was actually checked against a local web of trust (like OpenPGP or Gaim-OTR keys or else) it may become interesting. But who uses that "safely" ? :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPIeHfUcTXFrypNURAw11AJ4imDZOFur2KkChrkwSuIevF0PH7gCeMMkd ukGYlyYrvzBkDMbdp+1e6F4= =tLrv -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Kevin Fries wrote: > [...] Without apt-cacher you either need to allow that machine > access to the Internet, or do without updates. +1 for that, I haven't used apt-cacher in that context but it's an important use case. I'll make sure it makes it in the eventual MIR. > > But I still think it would be cool if the install process scanned > the local net looking for any machine with port 3142 open, and > reconfigured apt to use the cache by default. I don't feel comfortable having "auto-scan" + "auto-reconfiguration" in that same sentence... Some sort of handshaking would need to happen. It makes me think of printers auto-discovery / config. I need more coffee today. Fabian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPGdzfUcTXFrypNURA1f6AKDiutYsYltlTxMzdcM3lxNIeNgAHgCgi5UX 5Fg8AV6YIXbA7Hsxakmq1Os= =OFf7 -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Sam Tygier wrote: > > could apt-zeroconf[0] be installed and enabled by default. > > "distributed apt-cacher for local networks implemented in Python. > It's called apt-zeroconf since we use avahi for automatically > finding other apt-zeroconf instances on the LAN, similar to Apple's > Rendezvous/Bonjour/Zeroconf technology." > > sam > > [0] http://trac.phidev.info/trac/wiki/AptZeroconf apt-zeroconf is actually a replacement for apt-cacher, not a complement to it, according to its site. I think we already know the answer to "enabled by default" autodiscovery / other networking services. I would have some trust issues using apt-zeroconf, but that's just me :) F. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPGV7fUcTXFrypNURAyKIAKDAiNhUX+hwGxKCkdUDxshGlt1SLACgjSv7 cbjKhyraSQNd9pTqwYSqGmE= =nafO -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
On Wed, 2007-11-14 at 18:27 -0500, Scott Abbey wrote: > I think the point of moving it is so that it receives official support from > Canonical. That way those on paid support contracts can still expect > assistance from Canonical when using the package. Canonical only provides > paid support for packages in main and restricted. Universe and multiverse > receive community support only. Ahhh (he says with bells going off like a Las Vegas slot machine) In that case, I would like to second that motion. Especially with Jeos coming out. Not all VM need to have a public facing. I often set up servers in a VM based environment where one or more machines are not given access to the outside network (only internal networking between the virtual machines). Without apt-cacher you either need to allow that machine access to the Internet, or do without updates. Example: Several VMs use a central set of accounts. You store those accounts in LDAP. If the LDAP server only has networking between the VMs, you do not have to worry about setting up TLS. But the second that machine has external visibility, TLS it mandatory. Any time you can relax the security, things run faster and more reliably. So, by putting that LDAP server in an inaccessible place, allows you to run without all those layers of security (good design trumps good security every time). Given this example, the machine with no external network support, can use whichever machine has apt-cacher as a proxy to get updates, without compromising its security. Given the announcement of Ubunut Jeos, moving apt-cacher to a place where it will get support. But I still think it would be cool if the install process scanned the local net looking for any machine with port 3142 open, and reconfigured apt to use the cache by default. -- Kevin Fries Senior Linux Engineer Computer and Communications Technology, Inc A Division of Japan Communications Inc. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
Kevin Fries wrote: > I am not sure it needs to be moved. But, what would be totally cool is > if the installer scanned the local network on install and configured > apt-cacher in sources.list instead of the normal repos by default when > if finds a server. That would be a terrific usability upgrade. could apt-zeroconf[0] be installed and enabled by default. "distributed apt-cacher for local networks implemented in Python. It's called apt-zeroconf since we use avahi for automatically finding other apt-zeroconf instances on the LAN, similar to Apple's Rendezvous/Bonjour/Zeroconf technology." sam [0] http://trac.phidev.info/trac/wiki/AptZeroconf -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Scott Abbey wrote: > [...] > > I think the point of moving it is so that it receives official > support from Canonical. That way those on paid support contracts > can still expect assistance from Canonical when using the package. > Canonical only provides paid support for packages in main and > restricted. Universe and multiverse receive community support only. > Because this is in universe and I use it regularly and also have advised some customers about its use (with usual warnings), I think it would be important it gets regular security reviews. Canonical commercial support customers will benefit from that just as much as anyone else using the package for free. If you ask any Canonical customer, you will find we sometimes provide support for much more than that (main) and sometimes we can't help much with restricted. Cheers, Fabian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPFyNfUcTXFrypNURA1DaAKCdAZAtu+7LAVZjxGZ7C0tS5aDtfACdHwrO 9s4Yo1QmKWYlAs2GGFgArwE= =A983 -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
hi, Am Mittwoch, den 14.11.2007, 11:38 -0500 schrieb Fabian Rodriguez: > -BEGIN PGP SIGNED MESSAGE- > Hash: RIPEMD160 > > (not sure if this made it so re-sending) it did :) > Hi, > > I'd like to propose moving apt-cacher to main. I haven't done main > inclusion reports before so bear with me while I dive into this :) in edubuntu we face the fact that governments and schools start rolling out really huge deployments in the near future (see macedonia with a total of 185000 systems for example), if you maintain 5000 seats in one school or 1 in one municipality it comes in pretty handy to have an apt-cacher in your network to not saturate your internet connection for updates. so i'd like to second the main inclusion. ciao oli signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
Kevin Fries wrote: > On Wed, 2007-11-14 at 11:38 -0500, Fabian Rodriguez wrote: >> I also think this would be a good candidate to have on the LiveCD >> installer and/or the Server CD installer images, as in many scenarios >> CDs are used for a first install and then other PCs in the same LAN >> could use that first install apt-cacher to save tremendously on >> bandwidth - a common situation outside high-bandwidth areas. > > I am not sure it needs to be moved. But, what would be totally cool is > if the installer scanned the local network on install and configured > apt-cacher in sources.list instead of the normal repos by default when > if finds a server. That would be a terrific usability upgrade. > > But, since only one server needs it, is there an advantage to moving it > from Universe? It not like its in Multiverse which is turned off by > default. If I remember correctly, isn't Universe turned on by default > on initial install? I think the point of moving it is so that it receives official support from Canonical. That way those on paid support contracts can still expect assistance from Canonical when using the package. Canonical only provides paid support for packages in main and restricted. Universe and multiverse receive community support only. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
On Wed, 2007-11-14 at 11:38 -0500, Fabian Rodriguez wrote: > I also think this would be a good candidate to have on the LiveCD > installer and/or the Server CD installer images, as in many scenarios > CDs are used for a first install and then other PCs in the same LAN > could use that first install apt-cacher to save tremendously on > bandwidth - a common situation outside high-bandwidth areas. I am not sure it needs to be moved. But, what would be totally cool is if the installer scanned the local network on install and configured apt-cacher in sources.list instead of the normal repos by default when if finds a server. That would be a terrific usability upgrade. But, since only one server needs it, is there an advantage to moving it from Universe? It not like its in Multiverse which is turned off by default. If I remember correctly, isn't Universe turned on by default on initial install? -- Kevin Fries Senior Linux Engineer Computer and Communications Technology, Inc A Division of Japan Communications Inc. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
