[mirror-admin] push mirroring plans

[Hiroyuki SHINBO]

Hi All,

Thank you for many comments.

>   I also prefer that, and it is also what I do with my mirror (I manage 
>one of the Debian master mirror for Canada). But I didn't had any problem 
>to get the permission to open the SSH port.
>
>>   - I can set IP access filter for ssh on my server to only for RH IPs
>
>   That is quite useless for Shinbo-san if his company refuse to open the 
>firewall to allow incoming SSH connections to his mirror.
>
>>   - I can set for a tier mirror's ssh key to run only specified command
>>     (for example a special rsync, where this server can't do more like
>>     sync content)
>
>   For a mirror, that is the normal way to configure it.  Maybe Shinbo-san 
>will be able to convince his company to allows SSH on an alternate port, 
>but I already worked in Japan and I know that it can be quite difficult. 
>It is so because the person that will allow him to open the port will also 
>have to take the responsibility if there is a problem later.

Valiquette-san, thank you for clarification. Your comments are
correct explanation of our situation.


>>   - it's secure
>>   - it's simple (just one command)
>
>   Depending of their security requirement and risk tolerance, it might be 
>a reasonable policy to not wanting to trust potential misconfiguration or 
>bugs in OpenSSH if it is not absolutely needed.

I am also concerned about this. 

In addition, if the push method is used, especially using SSH, 
our server is controlled by a person who is the outside of our 
organization. I understand that the control of push method is 
applied only for mirror, but a server gets potential security 
risks. 

I think that a method of frequently (and lightly?) mirror 
updated which is controlled by ourself, such as TIMESTAMPS 
or checksum, is able to apply to our server.


-------------- {ftp|http|rsync}://{ftp.ne.jp|ftp.kddilabs.jp} ---
   Hiroyuki SHINBO            E-Mail: admin at ftp.ne.jp
   KDDI R&D Laboratories Inc. FTP Administrator Team.

--