Re: apt-cacher in main
Reinhard Tartler wrote: http://packages.debian.org/sid/apt-cacher-ng But I have not tried it yet. It will be interesting to follow its progress. apt-cacher-ng (presumably next generation) is more than simple rewrite of Apt-Cacher. It was redesigned from scratch and is written in C++ with main focus on maximizing throughput with low requirements on system resources. It is going to be in hardy, in universe. Chnagelog is here: http://changelogs.ubuntu.com/changelogs/pool/universe/a/apt-cacher-ng/apt-cacher-ng_0.1.1-1/changelog I will be going forward with proposing apt-cacher for main in Hardy as its a LTS release. I'll be writing up the MIR this week. Cheers, Fabian -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
Hi Oliver, On Fri, Nov 16, 2007 at 12:15:34PM +0100, Oliver Grawert wrote: searching for package proxy solutions in apt-cache reveals: apt-proxy - Debian archive proxy and partial mirror builder I've used apt-proxy for some time, but switch to apt-cacher. apt-proxy would hang quiet often without any obvious reason. would a general proxy solution that includes .deb caching as well a better way to address the task ? squid can also be used as a proxy (for debs and general caching). It's already in main. The only advantage that apt-cacher has over squid is that it knows the debs structure and when files should be deleted (superseeded in the archive instead of time based). OTOH squid is a more general caching proxy which can also be used to cache http content. Oliver, is there a reason why education don't use squid ? I guess they would be interested in caching all the content they can. -- Mathias signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
hi, Am Donnerstag, den 15.11.2007, 22:59 + schrieb Matt Zimmerman: On Thu, Nov 15, 2007 at 01:05:01PM +0100, Oliver Grawert wrote: in edubuntu we face the fact that governments and schools start rolling out really huge deployments in the near future (see macedonia with a total of 185000 systems for example), if you maintain 5000 seats in one school or 1 in one municipality it comes in pretty handy to have an apt-cacher in your network to not saturate your internet connection for updates. so i'd like to second the main inclusion. We should be wary of both a) jumping from broad requirements (large deployments would benefit from local redistribution of updates) to actions (let's put apt-cacher in main) and b) focusing too much on niche use cases when there are issues facing a large number of users which need to be addressed. i think the huge deployments are a fact and we will see more of them (especially in the edu sector). while i agree that we should review other options as well, it seems that apt-cacher is a tool already used by many of our users and apparently it even made its way through support requests onto this list :) without knowing technical drawbacks/advantages of the other tools i'd say its a good candidate from a give users what they ask for POV (i know many of the existing bigger edubuntu setups use it today to save bandwith). searching for package proxy solutions in apt-cache reveals: approx - caching proxy server for Debian archive files apt-cacher - caching proxy system for Debian package and source files apt-proxy - Debian archive proxy and partial mirror builder does anyone know more tools like the above ones that fulfill the same need so we can take a look at them as well ? would a general proxy solution that includes .deb caching as well a better way to address the task ? ciao oli signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
Fabian Rodriguez wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Sam Tygier wrote: it looks like they have got the security side covered. Now, one might think this could potentially pose a security threat as everyone can offer and distribute debs without any authentication whatsoever. This is not the case as we are not yet caching the package lists or pdiffs, which are PGP-signed and contain MD5, SHA1 and SHA256 checksums of the packages. But due to the trusted PGP signatures, caching package lists shouldn't be an issue. Is there any reason this would not be sufficient? I see many ways to trick someone into installing newer versions of existing common packages that include malicious files, using apt-zeroconf. You'd be surprised how many people will click through any amount of security warnings if approached with authority by a neighbor. An Internet cafe comes to mind, but many other public places would also serve this purpose. You'd guess I love being paranoid about this. As I understand all the computers still get the package list from the ubuntu repo. it is only the packages that they get from local peers. there is no way the local peers can tamper with the package list. the package list contains the MD5 sum of packages. so if a local peer claims to have a package, and gives you something that has been tampered, then apt will reject it. sam -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
hi, Am Mittwoch, den 14.11.2007, 11:38 -0500 schrieb Fabian Rodriguez: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 (not sure if this made it so re-sending) it did :) Hi, I'd like to propose moving apt-cacher to main. I haven't done main inclusion reports before so bear with me while I dive into this :) in edubuntu we face the fact that governments and schools start rolling out really huge deployments in the near future (see macedonia with a total of 185000 systems for example), if you maintain 5000 seats in one school or 1 in one municipality it comes in pretty handy to have an apt-cacher in your network to not saturate your internet connection for updates. so i'd like to second the main inclusion. ciao oli signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Scott Abbey wrote: [...] I think the point of moving it is so that it receives official support from Canonical. That way those on paid support contracts can still expect assistance from Canonical when using the package. Canonical only provides paid support for packages in main and restricted. Universe and multiverse receive community support only. Because this is in universe and I use it regularly and also have advised some customers about its use (with usual warnings), I think it would be important it gets regular security reviews. Canonical commercial support customers will benefit from that just as much as anyone else using the package for free. If you ask any Canonical customer, you will find we sometimes provide support for much more than that (main) and sometimes we can't help much with restricted. Cheers, Fabian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPFyNfUcTXFrypNURA1DaAKCdAZAtu+7LAVZjxGZ7C0tS5aDtfACdHwrO 9s4Yo1QmKWYlAs2GGFgArwE= =A983 -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
Kevin Fries wrote: I am not sure it needs to be moved. But, what would be totally cool is if the installer scanned the local network on install and configured apt-cacher in sources.list instead of the normal repos by default when if finds a server. That would be a terrific usability upgrade. could apt-zeroconf[0] be installed and enabled by default. distributed apt-cacher for local networks implemented in Python. It's called apt-zeroconf since we use avahi for automatically finding other apt-zeroconf instances on the LAN, similar to Apple's Rendezvous/Bonjour/Zeroconf technology. sam [0] http://trac.phidev.info/trac/wiki/AptZeroconf -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Sam Tygier wrote: could apt-zeroconf[0] be installed and enabled by default. distributed apt-cacher for local networks implemented in Python. It's called apt-zeroconf since we use avahi for automatically finding other apt-zeroconf instances on the LAN, similar to Apple's Rendezvous/Bonjour/Zeroconf technology. sam [0] http://trac.phidev.info/trac/wiki/AptZeroconf apt-zeroconf is actually a replacement for apt-cacher, not a complement to it, according to its site. I think we already know the answer to enabled by default autodiscovery / other networking services. I would have some trust issues using apt-zeroconf, but that's just me :) F. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPGV7fUcTXFrypNURAyKIAKDAiNhUX+hwGxKCkdUDxshGlt1SLACgjSv7 cbjKhyraSQNd9pTqwYSqGmE= =nafO -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
On Wed, 2007-11-14 at 18:27 -0500, Scott Abbey wrote: I think the point of moving it is so that it receives official support from Canonical. That way those on paid support contracts can still expect assistance from Canonical when using the package. Canonical only provides paid support for packages in main and restricted. Universe and multiverse receive community support only. Ahhh (he says with bells going off like a Las Vegas slot machine) In that case, I would like to second that motion. Especially with Jeos coming out. Not all VM need to have a public facing. I often set up servers in a VM based environment where one or more machines are not given access to the outside network (only internal networking between the virtual machines). Without apt-cacher you either need to allow that machine access to the Internet, or do without updates. Example: Several VMs use a central set of accounts. You store those accounts in LDAP. If the LDAP server only has networking between the VMs, you do not have to worry about setting up TLS. But the second that machine has external visibility, TLS it mandatory. Any time you can relax the security, things run faster and more reliably. So, by putting that LDAP server in an inaccessible place, allows you to run without all those layers of security (good design trumps good security every time). Given this example, the machine with no external network support, can use whichever machine has apt-cacher as a proxy to get updates, without compromising its security. Given the announcement of Ubunut Jeos, moving apt-cacher to a place where it will get support. But I still think it would be cool if the install process scanned the local net looking for any machine with port 3142 open, and reconfigured apt to use the cache by default. -- Kevin Fries Senior Linux Engineer Computer and Communications Technology, Inc A Division of Japan Communications Inc. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Sam Tygier wrote: it looks like they have got the security side covered. Now, one might think this could potentially pose a security threat as everyone can offer and distribute debs without any authentication whatsoever. This is not the case as we are not yet caching the package lists or pdiffs, which are PGP-signed and contain MD5, SHA1 and SHA256 checksums of the packages. But due to the trusted PGP signatures, caching package lists shouldn't be an issue. Is there any reason this would not be sufficient? I see many ways to trick someone into installing newer versions of existing common packages that include malicious files, using apt-zeroconf. You'd be surprised how many people will click through any amount of security warnings if approached with authority by a neighbor. An Internet cafe comes to mind, but many other public places would also serve this purpose. You'd guess I love being paranoid about this. The only thing I can imagine is some sort of DOS attack by sending a large number of requests to one machine. Maybe checking for shared packages on the network could be enabled by default, but sharing disabled. The option to enable sharing could be in System - Administration - Software Sources If this was actually checked against a local web of trust (like OpenPGP or Gaim-OTR keys or else) it may become interesting. But who uses that safely ? :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPIeHfUcTXFrypNURAw11AJ4imDZOFur2KkChrkwSuIevF0PH7gCeMMkd ukGYlyYrvzBkDMbdp+1e6F4= =tLrv -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
Fabian Rodriguez wrote: apt-zeroconf is actually a replacement for apt-cacher, not a complement to it, according to its site. I think we already know the answer to enabled by default autodiscovery / other networking services. I would have some trust issues using apt-zeroconf, but that's just me :) F. it looks like they have got the security side covered. Now, one might think this could potentially pose a security threat as everyone can offer and distribute debs without any authentication whatsoever. This is not the case as we are not yet caching the package lists or pdiffs, which are PGP-signed and contain MD5, SHA1 and SHA256 checksums of the packages. But due to the trusted PGP signatures, caching package lists shouldn't be an issue. Is there any reason this would not be sufficient? The only thing I can imagine is some sort of DOS attack by sending a large number of requests to one machine. Maybe checking for shared packages on the network could be enabled by default, but sharing disabled. The option to enable sharing could be in System - Administration - Software Sources Sam -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
On Thu, Nov 15, 2007 at 01:05:01PM +0100, Oliver Grawert wrote: in edubuntu we face the fact that governments and schools start rolling out really huge deployments in the near future (see macedonia with a total of 185000 systems for example), if you maintain 5000 seats in one school or 1 in one municipality it comes in pretty handy to have an apt-cacher in your network to not saturate your internet connection for updates. so i'd like to second the main inclusion. We should be wary of both a) jumping from broad requirements (large deployments would benefit from local redistribution of updates) to actions (let's put apt-cacher in main) and b) focusing too much on niche use cases when there are issues facing a large number of users which need to be addressed. If this is worth addressing, then it is worth thinking through and considering other possible solutions. -- - mdz -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Kevin Fries wrote: I am not sure it needs to be moved. But, what would be totally cool is if the installer scanned the local network on install and configured apt-cacher in sources.list instead of the normal repos by default when if finds a server. That would be a terrific usability upgrade. I believe this blueprint addresses that: https://blueprints.edge.launchpad.net/ubuntu/+spec/apt-service-discovery But, since only one server needs it, is there an advantage to moving it from Universe? It not like its in Multiverse which is turned off by default. If I remember correctly, isn't Universe turned on by default on initial install? Moving this to main would also open the door to possible inclusion in the LiveCD or Server install CD. Actually, DVD images will make better use of this. In low bandwidth environments the server may be another neighboring laptop or desktop. Even if universe is on by default, this single package would mean much faster mass installs when you have a DVD image, for example. Cheers, Fabian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPF9ffUcTXFrypNURA+G1AJ4vOC1WfijLnMUNMaZsx0iAHa834gCeJF+y XB7WhI+CDdggxDlu8Bn5rQ8= =PajS -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main + apt-zeroconf
On Thu, Nov 15, 2007 at 12:53:14PM -0500, Fabian Rodriguez wrote: If this was actually checked against a local web of trust (like OpenPGP or Gaim-OTR keys or else) it may become interesting. But who uses that safely ? :) All packages downloaded by APT are authenticated using PGP keys provided in the default install. While it's possible to override this, it's also possible to install untrusted packages in all sorts of other ways, so people who ignore security warnings are already in bad shape regardless of whether they're using something like apt-cacher or not. -- - mdz -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
apt-cacher in main
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi, I'd like to propose moving apt-cacher to main. I haven't done main inclusion reports before so bear with me while I dive into this :) Description: caching proxy system for Debian package and source files Apt-cacher performs caching of .deb and source packages which have been downloaded by local users. It is most useful for local area networks with slow internet uplink. I have used apt-cacher in many different scenarios and I believe it is a good candidate for inclusion in main. During my work at Canonical as a systems support analyst there have been a few occasions when customer would have benefited of having official support for this too. I checked security vulnerabilities and it seems there is only one back in 2005, fixed within hours of being reported: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-1854 The package seems well maintained, see: http://changelogs.ubuntu.com/changelogs/pool/universe/a/apt-cacher/apt-cacher_1.5.5/changelog I also think this would be a good candidate to have on the LiveCD installer and/or the Server CD installer images, as in many scenarios CDs are used for a first install and then other PCs in the same LAN could use that first install apt-cacher to save tremendously on bandwidth - a common situation outside high-bandwidth areas. I'd like to hear opinions on this, I already put the unedited main inclusion report template in but I wanted to start the discussion here before going any further. I also aim to get apt-cacher approved in the server package review: https://wiki.ubuntu.com/ServerPackageReview . Thank you, Fabián Rodríguez - Ubuntu Quebec Local Community team contact https://wiki.ubuntu.com/QuebecTeam Montreal, QC, Canada -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHOxiifUcTXFrypNURA9aIAJ4rKgzYx7qD9BQ5O09cOsy0XJVSNACfZOdZ DxW91nq1GQsFxiH13eZz+rI= =+XlE -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
apt-cacher in main
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 (not sure if this made it so re-sending) Hi, I'd like to propose moving apt-cacher to main. I haven't done main inclusion reports before so bear with me while I dive into this :) Description: caching proxy system for Debian package and source files Apt-cacher performs caching of .deb and source packages which have been downloaded by local users. It is most useful for local area networks with slow internet uplink. I have used apt-cacher in many different scenarios and I believe it is a good candidate for inclusion in main. During my work at Canonical as a systems support analyst there have been a few occasions when customer would have benefited of having official support for this too. I checked security vulnerabilities and it seems there is only one back in 2005, fixed within hours of being reported: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-1854 The package seems well maintained, see: http://changelogs.ubuntu.com/changelogs/pool/universe/a/apt-cacher/apt-cacher_1.5.5/changelog I also think this would be a good candidate to have on the LiveCD installer and/or the Server CD installer images, as in many scenarios CDs are used for a first install and then other PCs in the same LAN could use that first install apt-cacher to save tremendously on bandwidth - a common situation outside high-bandwidth areas. I'd like to hear opinions on this, I already put the unedited main inclusion report template in but I wanted to start the discussion here before going any further. I also aim to get apt-cacher approved in the server package review: https://wiki.ubuntu.com/ServerPackageReview . Thank you, Fabián Rodríguez - Ubuntu Quebec Local Community team contact https://wiki.ubuntu.com/QuebecTeam Montreal, QC, Canada -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: PGP/Mime available upon request Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHOySdfUcTXFrypNURA16kAKDshQjt9MPRi8OXCau9e+NiTNTiUQCg1bs7 /Hy59wl9sg6zE/8pkkBQksk= =Iuj+ -END PGP SIGNATURE- -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: apt-cacher in main
Kevin Fries wrote: On Wed, 2007-11-14 at 11:38 -0500, Fabian Rodriguez wrote: I also think this would be a good candidate to have on the LiveCD installer and/or the Server CD installer images, as in many scenarios CDs are used for a first install and then other PCs in the same LAN could use that first install apt-cacher to save tremendously on bandwidth - a common situation outside high-bandwidth areas. I am not sure it needs to be moved. But, what would be totally cool is if the installer scanned the local network on install and configured apt-cacher in sources.list instead of the normal repos by default when if finds a server. That would be a terrific usability upgrade. But, since only one server needs it, is there an advantage to moving it from Universe? It not like its in Multiverse which is turned off by default. If I remember correctly, isn't Universe turned on by default on initial install? I think the point of moving it is so that it receives official support from Canonical. That way those on paid support contracts can still expect assistance from Canonical when using the package. Canonical only provides paid support for packages in main and restricted. Universe and multiverse receive community support only. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss