[mirror-admin] push mirroring - who owns the SSH keys?
Stephen John Smoogen
smooge at gmail.com
Sat Jun 20 18:44:08 EDT 2009
On Sat, Jun 20, 2009 at 6:52 AM, Matt Domsch<Matt_Domsch at dell.com> wrote:
> I'm starting to think again about push mirroring, with an eye to
> having something in place for general use by Fedora 12. Anyone who
> would care to help would be greatly appreciated.
>
> In the grand scheme, I envision:
>
....
> Should a security breach happen to MM, the private half of the keypairs could
> become known. This can be mitigated by ensuring the keypairs can only
> run one command on the downstream mirror, one that would be relatively
> safe for anyone to run at any time. But would it be better for MM to
> have all those keypairs, or for each (upstream, downstream) mirroring
> arrangement to have their own keypairs for this purpose, and MM has
> nothing to do with it? When the upstream runs report_mirror, it then
> runs the ssh push triggers to its downstreams itself...
>
> Looking for ideas, input, and coders.
Push queueing has always been one of those third rail topics in the
past (ok 8-12 years ago is ancient historic past). It requires a lot
of stuff from getting accounts approved to policy reviews at a lot of
sites. I know that every place I have been that had a mirror or wanted
a mirror would not be able to use a push mechanism... but I worked for
quirky places. I think my questions would be the following:
1) What problems are we trying to solve here?
2) What percentage of sites would use it? Is that percentage
significant in helping push out more content?
3) Does having a 3 tier system (sites that allow push, sites that can
poll, and sites that just regularly pull) make it better for users or
more likely they will run into 'you can't get that yet?'
4) Is it possible to work with the Debian developers/sites who have
this push model in place to use theirs and help improve that code
base? This way sites that have already approved the usage of push
mechanism would only use one set of programs versus a bunch.
> Thanks,
> Matt
> Fedora Mirror Wrangler
>
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
--
More information about the Mirror-admin
mailing list