Is http still needed for arch mirrors?

Daklon · 2023-05-22 15:44:28

Hi! I will have some spare disk, compute and network in the near future and I'm thinking about using it for a public tier 2 mirror for arch.
After reviewing the wiki I see that the current used protocols are rsync, http and https. After review the http is still supported by a lot of mirrors.
Having let's encrypt certificates, is there any advantage that I'm not aware of for having http support at mirrors?

schard · 2023-05-22 17:28:53

These days? No.

nl6720 · 2023-05-22 17:41:51

https://wiki.archlinux.org/title/Develo … quirements

DeveloperWiki:NewMirrors#Tier 2 requirements wrote:

http or https support

Daklon · 2023-05-23 09:45:31

Thanks for the answers, https only will be then.

bibies · 2023-08-01 11:23:34

Using http releaves you from renewing certificates which although could be automated introduces another vector of attack on your ever reducing privacy surface. Especially when using anonymizing network layers centralized certs infra and https add only negatives.

BTW what is Arch gatekeepers stance on 2-tier mirrors provided via onion addresses, are there some semi-official servers to try sync from?

mpan · 2023-08-01 11:58:17

bibies:
Did you notice this is an over two month old thread?

In either case, not sure what “reducing privacy surface” is. Automatic and manual renewals peform the same operations and send the same data, so there is no direct difference in privacy. If one would really want to find one, it’s with manual renewals: it reveals server operator’s activity patterns. With 4 datapoints a year this is garbage data of course.

Not sure, what kind of attack vector does automatic renewal introduces compared to manual one.

Regarding Tor HS access: I am not the right person to give authoritative response on Arch’s stance. Fortunately Tor’s stance on pushing large amounts of data over Tor is known for years and it is negative (1, 2), because it puts unreasonable load on the network. A second problem is that, unless additional steps are taken, the requested packages set fingerprints the machine.

Daklon:
While users should use HTTPS, a server offering a plaintext alternative may still be of value. This shouldn’t normally be needed, but in some rare cases the user may have certificate chains broken or no TLS support. Then non-TLS connections remain the only option.

bibies · 2023-08-01 12:30:37

mpan wrote:

Did you notice this is an over two month old thread?

How does that relevant to the subject?

In either case, not sure what “reducing privacy surface” is. Automatic and manual renewals peform the same operations and send the same data, so there is no direct difference in privacy. If one would really want to find one, it’s with manual renewals: it reveals server operator’s activity patterns. With 4 datapoints a year this is garbage data of course. Not sure, what kind of attack vector does automatic renewal introduces compared to manual one.

Reducing privacy surface means expanding vulnerabilities to traffic analysis and fingerprinting. I didn't mean to distinguish auto and manual renewing but rather the mere requirement to use certs causing periodic regular extra connections to the third party.

Regarding Tor HS access: I am not the right person to give authoritative response on Arch’s stance. Fortunately Tor’s stance on pushing large amounts of data over Tor is known for years and it is negative (1, 2), because it puts unreasonable load on the network. A second problem is that, unless additional steps are taken, the requested packages set fingerprints the machine.

Tor wasn't made to keep in museum. Throttling is OK and even desirable for many sensible scenarios. The fingerprinting argument is laughable as Clearnet connections has zero protection there. Hopefully Arch won't trail in the tail distro and will mitigate resiliency concerns by allowing and encouraging more decentralizing syncing of its repos in a privacy conscious manner.

Lone_Wolf · 2023-08-02 10:43:45

Keep in mind that very few mirrors are maintained by archlinux itself (probably just archlinux.org) .

https://archlinux.org/mirrors/ doesn't appear to list any tor mirrors, maybe you would like to be the first one to provide a tier 2 mirror using a .onion domain ?

bibies · 2023-08-02 11:10:24

Lone_Wolf wrote:

https://archlinux.org/mirrors/ doesn't appear to list any tor mirrors, maybe you would like to be the first one to provide a tier 2 mirror using a .onion domain ?

Some derivative distros had onion mirrors, not sure what the situation looks like today.

Maybe folks start to have onion mirrors, but the first step would be to have an Arch policy as response to the quote:

bibies wrote:

BTW what is Arch gatekeepers stance on 2-tier mirrors provided via onion addresses, are there some semi-official servers to try sync from?

Lone_Wolf · 2023-08-02 11:21:12

this forum is not the place where policies are determined .

https://wiki.archlinux.org/title/Develo … ling_lists mentions a mailing list and an email address.
Maybe use one of those ?

Arch Linux

#1 2023-05-22 15:44:28

Is http still needed for arch mirrors?

#2 2023-05-22 17:28:53

Re: Is http still needed for arch mirrors?

#3 2023-05-22 17:41:51

Re: Is http still needed for arch mirrors?

#4 2023-05-23 09:45:31

Re: Is http still needed for arch mirrors?

#5 2023-08-01 11:23:34

Re: Is http still needed for arch mirrors?

#6 2023-08-01 11:58:17

Re: Is http still needed for arch mirrors?

#7 2023-08-01 12:30:37

Re: Is http still needed for arch mirrors?

#8 2023-08-02 10:43:45

Re: Is http still needed for arch mirrors?

#9 2023-08-02 11:10:24

Re: Is http still needed for arch mirrors?

#10 2023-08-02 11:21:12

Re: Is http still needed for arch mirrors?

Board footer