Hi, Sorry Andrew for the CC. This one wasn't done on purpose. Your message was saved in draft and I did a mistake for the sending.
On 2021-08-11 4:21 a.m., Polyna-Maude Racicot-Summerside wrote: > Hi, > > On 2021-07-24 5:33 a.m., Andrew M.A. Cater wrote: >> On Sat, Jul 24, 2021 at 01:07:24AM -0400, Polyna-Maude Racicot-Summerside >> wrote: >>> Hi ! >>> How would you copy the debian security update repository ? >>> I know it's not recommended. >>> But I'd like to do so. >>> -- >>> Polyna-Maude R.-Summerside >>> -Be smart, Be wise, Support opensource development >>> >> >> In general, this is a very bad idea because - and only because - you don't >> want >> the possibility of machines getting incorrect / out of date fixes. >> Security-critical things are security-critical - trying to maintain one >> canonical source of truth where uploads are moderated and from a known source >> is hard. Forcing people to go to the one source solves that problem in one >> sense (and may also lessen the risk of some Evil Hacker maintaining a >> security repository stuffed with malware and spoofing). >> [Having said all that: I've a feeling that security.d.o is actually a set >> of servers to serve Europe/Asia/N. America behind the content delivery >> network.] >> >> If you really, really, really want to do it properly: I'd suggest approaching >> the people in charge of security.d.o, having a conversation about exactly >> what you want to do, why and for how many people. You'd probably need to >> assure tham that your mirror will be relatively secure from attack - so their >> machines are not at risk - and then arrange for some form of push mirroring, >> so that they push updates to you at their convenience. This means that they >> will need the ability to have an account on your machine sufficiently to >> use ssh and forced commands to push the updates. >> >> Debian mirrors in general are updated about four times a day and it's >> asynchronous. Pushed updates mean that everyone gets a drip feed of updates >> whenever they're published. This is how several of us currently run private >> mirrors for the main Debian distribution. >> >> Unless you are a bank / government agency / pharmaceutical company that >> keeps all critical systems airgapped and entirely isolated from the >> Internet, >> maintaining a separate security mirror may be more trouble than it's worth >> in my opinion. >> > Thanks for all those explanation. > I was thinking about using maybe aptly and signing my own repository. > This wouldn't be a direct copy of security updates @ debian.org but > would be my own. > I understand the risk involved but I can assume this risk. > The same way I assume some risk and choose to go on the safe side for other. > For example, I don't encrypt my hard disk partition, that's a choice I > assume. > But I do use SSH on my home network instead of password. > > There's no risk of "evil hacker" but as I install Debian into people's > home and some of them have limited bandwidth, even paying big extras for > GB when you are in the deep country side. So I can't assume the customer > can have access to the security updates that will be installed after the > normal Debian installation. > > Already that they'll need to keep themselves up to date and this will > incur some fees, it's better if I limit those at installation. > >> All the very best, as ever, >> >> Andy Cater >> >> > -- Polyna-Maude R.-Summerside -Be smart, Be wise, Support opensource development
OpenPGP_signature
Description: OpenPGP digital signature
