Why is mirroring debian-security a bad idea?

cegfault

12/16/23, 11:22 PM

I'm setting up a debian (apt) mirror for internal networking (approximately 250 devices, including containers and vms). I'm using debmirror with rsync to mirror relevant packages. This drastically reduces network load and shortens installation time.

I would like to also mirror debian-security. However, in November 2019 security.debian.org discontinued rsync on security.debian.org, although it is still available on rsync.security.debian.org. The mailing list cites the mirror how-to to say that mirroring security.debian.org is a bad idea, but the how-to only says:

The debian-security/ archives contain the security updates released by the Debian security team. While it sounds interesting to everyone, we do not recommend to our users to use mirrors to obtain security updates and instead ask them to directly download them from our distributed security.debian.org service. We recommend debian-security not be mirrored.

Why not? All packages are gpg-signed anyway, and will be delivered on a local (trusted) network over https with (trusted) certificates. Why would this not be recommended?

1118

1 + 0

linux

debian

mirroring

Score:2

Server

diya

12/17/23, 10:49 AM

https://www.debian.org/security/faq#mirror

Q: Why are there no official mirrors for security.debian.org?

A: Actually, there are. There are several official mirrors, implemented through DNS aliases. The purpose of security.debian.org is to make security updates available as quickly and easily as possible.

Encouraging the use of unofficial mirrors would add extra complexity that is usually not needed and that can cause frustration if these mirrors are not kept up to date.

Which sounds like a desire to keep control and an acknowledgment that the Debian team can’t guarantee that other (community) mirrors get synchronized as quickly as they can push updates to their own security update infrastructure.

————————

Note that while Debian might not facilitate mirroring security.debian.org they don’t prohibit you from running your own mirror either. Feel free to set one up if that better suits your needs.

+ 1

cegfault

12/20/23, 8:53 PM

+1 for explaining the issue with *community* mirrors, but what would be the downside with a *private* mirror? Because I'm running on a local network, a private mirror will likely allow for faster security updates. Unless I'm misunderstanding you, the reason they don't recommend mirroring is mitigated by a local, trusted, reliable private mirror....

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why is mirroring debian-security a bad idea?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.