Skip to content
Snippets Groups Projects

Mirror hardening - complementing RFC 29

Closed pita strudl requested to merge torxed/rfcs:mirror-hardening into master

Complements RFC !29 (merged). The mirror team is proposing new hardening aspects to the current mirror infrastructure as there were none implemented in the past.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
59 The decomission of a mirror should be announced with proper tooling. In addition to the described process in RFC !29, the decomission process would also start if the signature checks would fail repetiatedly.
60
61 - Tier 1 and 2 mirrors will have 6 months to secure their servers, which can be extended if the procedure might take a longer time.
62 - Tier 3 mirrors will have 12 months to transition to the new specification.
63
64 In case of missing the grace period, additional warnings will be sent out which are then followed by removal from the official mirror list. Tier1 and Tier2 mirrors that don't follow the spec within the grace period will be downgraded to one level below after two attempts of contact without response over a period of two months. The new requirements will first be enacted only on **new** mirrors.
65
66 Recommendation and Requirements for different mirror types
67 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
68
69 For mirror definitions please refer to RFC !29.
70
71 Tier 1 Requirements
72
73 - Outside of Gitlab communication, we require GPG signed messages.
74 - Active monitoring of tagged GitLab issues (initial response within 1-2 days)
  • 81 Tier 2 Recommendations
    82
    83 - Signed ``domain``+``lastupdate``
    84 - “Service JSON manifest”
    85
    86 Tier 3 Requirements
    87
    88 - HTTPS TLS1.2+
    89
    90
    91 Validation of Ownership
    92 ^^^^^^^^^^^^^^^^^^^^^^^
    93
    94 A new way of verifying *(continued)* ownership of a mirror domain is hereby proposed. This is primarily to combat `domain hijacking`_.
    95
    96 The mirror operator(s) must first submit an OpenSSL supported public key under their `GitLab`_ account. After the key is submitted the proposed workflow looks like this:
    • I would like to see the OpenSSL version defined, as a way of future-proofing the RFC against new algorithms that might be supported by OpenSSL in the future.

    • Contributor

      I have mentioned this wrt the opened mirrorctl merge request already: I don't see the need for OpenSSL in this context at all and I am beginning to worry about this being brought up again.

      We already have an OpenPGP Public Key Infrastructure. I see no reason for us to introduce yet another one, especially given that it doesn't do authentication.

      As such I am very much against using OpenSSL for this purpose.

    • Anton Hvornum changed this line in version 4 of the diff

      changed this line in version 4 of the diff

    • I think e08fc32b resolves this. OpenSSL was simply an easy way for operators to generate and maintain keys. But if OpenPGP is the preferred way from our side then we'll go with that. But for the sake of simplicity and the discussion, I removed tooling and specifics, we simply want to be able to verify a signature with this RFC.

    • Please register or sign in to reply
  • 58 ^^^^^^^^^^^^^^^^^^^^^
    59 The decomission of a mirror should be announced with proper tooling. In addition to the described process in RFC !29, the decomission process would also start if the signature checks would fail repetiatedly.
    60
    61 - Tier 1 and 2 mirrors will have 6 months to secure their servers, which can be extended if the procedure might take a longer time.
    62 - Tier 3 mirrors will have 12 months to transition to the new specification.
    63
    64 In case of missing the grace period, additional warnings will be sent out which are then followed by removal from the official mirror list. Tier1 and Tier2 mirrors that don't follow the spec within the grace period will be downgraded to one level below after two attempts of contact without response over a period of two months. The new requirements will first be enacted only on **new** mirrors.
    65
    66 Recommendation and Requirements for different mirror types
    67 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    68
    69 For mirror definitions please refer to RFC !29.
    70
    71 Tier 1 Requirements
    72
    73 - Outside of Gitlab communication, we require GPG signed messages.
    • This doesn't make much sense without specifying which key types and lengths are acceptable, or referring to another document which does that.

    • Contributor
      Suggested change
      73 - Outside of Gitlab communication, we require GPG signed messages.
      73 - E-mail communication should be OpenPGP signed, so that the authenticity of messages can be cryptographically verified

      OpenPGP is the technology, gpg is one implementation provided by GnuPG

    • This makes it harder to host a mirror and honestly what does it bring us? Encrypted communication sure, but it doesn't give us much more trust that person X is person Y.

    • Anton Hvornum changed this line in version 5 of the diff

      changed this line in version 5 of the diff

    • It does tho? And we would only require a OpenPGP signature, not encryption. Because if the domain ownership is transferred, especially in a malicious way, the new owner will have the ability to setup e-mail with correct DNS/DKIM/etc and it would look good on paper. Except, hopefully, the PGP key should not be as easily forged. And gaining access to the GitLab account should also not be trivial (unless 2FA was not setup, which we should require).

      Changed the phrasing according to @dvzrv's suggestion.

    • Please register or sign in to reply
    • I've read through this again and I still think this is a bad idea where the consequences is us loosing most of the servers in our mirror pool. And for a consequence like that I'd expect a bit more thorough arguments around the downsides of such a proposal.

      I can't put my finger on it but there is something amiss with the power dynamic here. The mirrors are doing us a favour, not the other way around. Most people host several mirrors and having requirements like "reponding within 2(!) days" and special TLS requirements is going to make it a lot harder to retain mirrors.

      Requiring legacy stuff like "GPG messages" is archaic considering Gitlab works perfectly fine, and this proposal still doesn't detail any threat model nor explains why pacman isn't enough.

      Generally my opinion is that all of this is severely misaligned with what mirrors actually are; they serve files and that is it. Unless there is a general push from several distributions for something similar this is just going to make us an extremely unpopular distribution to support.

      Considering none of the suggested improvements are going into pacman I expect them to have limited value as well.

      TL;DR: This proposal needs to be realistic and not expect mirrors to be beholden to whatever Arch Linux says.

    • the consequences is us loosing most of the servers in our mirror pool

      Based on what data would we loose mirrors? We extracted statistics to make sure this was not the case so I'd like - for the sake of this particular argument - data to be presented so we can talk about it and find concrete solutions.

      The mirrors are doing us a favour, not the other way around.

      We're in agreement, and it's worth repeating as many times as needed. Mirror operators are on a volunteer basis, we've kept this in mind throughout this whole RFC process - and we're giving leeway, exemptions, help and guidance, based it on statistical data from the mirror database and a lot of other variables that I cannot recall from the top of my head at this point.

      But whatever concerns there are, we should present and discuss before accepting anything as fact, obviously.

      having requirements like "reponding within 2(!) days" and special TLS requirements is going to make it a lot harder to retain mirrors.

      I agree, if the values are too strict - lets change them. But a value is needed, because we do have multiple instances where we don't get responses and there's currently no way for mirror administrators to feel okay about their choice of "when has enough time passed, that I can consider my following action justified" - as it's all guesswork and estimates at the moment.

      I'm okay with writing "responding within 6 months" if that feels better, but then we'll have "dead mirrors" for 6 months. So we need to agree on a value of not-so-ridiculous-time-for-volunteers but also not a value not-so-long-that-mirror-admins-get-a-backlog-of-months. 2 days was a starting point, let's figure it out together!

      Requiring legacy stuff like "GPG messages" is archaic considering Gitlab works perfectly fine, and this proposal still doesn't detail any threat model nor explains why pacman isn't enough.

      We tried moving away from PGP more or less everywhere, but it keeps being the preferred method and in e-mail communication it's more or less the only common built-in method for signing e-mails.

      they serve files and that is it.

      Currently, yes, but we're trying to push for a change that enables them to keep doing that - but in a more secure manner. Not just be a dead-drop where we hope all 100% of our users follow written guidelines to the letter. See my other comment of why this is important here.

      this is just going to make us an extremely unpopular distribution to support.

      Only if we force unreasonable changes, which we don't want to. Especially without giving guidance, easy barrier to entry options, and we go outside of industry standards. I sincerely hope that us expecting HTTPS is not what would make us unreasonable? in 2024 where TLS certificates are easier to get a hold of than anything else in terms of web hosting.

      TL;DR: This proposal needs to be realistic and not expect mirrors to be beholden to whatever Arch Linux says.

      Could we outline what is unrealistic? I know you started by saying you can't put your finger on it, but perhaps we can start putting actual fingers on it so we can make the PR not unrealistic.

      Edited by Anton Hvornum
    • Based on what data would we loose mirrors? We extracted statistics to make sure this was not the case so I'd like - for the sake of this particular argument - data to be presented so we can talk about it and find concrete solutions.

      What data could you possibly extract to make a case where mirrors wouldn't stop distributing Arch because of new requirements? Unless you did interviews with existing Tier 1 mirrors to figure out what their stance on this is.

      There is no empirical data to represent here. It's a human factor of "this is too much effort".

      We tried moving away from PGP more or less everywhere, but it keeps being the preferred method and in e-mail communication it's more or less the only common built-in method for signing e-mails.

      You don't need either. Gitlab is perfectly fine for this.

      Currently, yes, but we're trying to push for a change that enables them to keep doing that - but in a more secure manner. Not just be a dead-drop where we hope all 100% of our users follow written guidelines to the letter. See my other comment of why this is important here.

      This is secure enough. The proposal still fails to describe the threat model we are defending against and why pacman itself is not enough.

      Only if we force unreasonable changes, which we don't want to. Especially without giving guidance, easy barrier to entry options, and we go outside of industry standards. I sincerely hope that us expecting HTTPS is not what would make us unreasonable? in 2024 where TLS certificates are easier to get a hold of than anything else in terms of web hosting.

      Then how have you figured out what unreasonable and reasonable changes are? HTTPS is the reasonable part, beyond hard requiring modern TLS1.3 because mirrors need to support distros with legacy TLS versions.

      Everything else is the unreasonable part.

      Could we outline what is unrealistic? I know you started by saying you can't put your finger on it, but perhaps we can start putting actual fingers on it so we can make the PR not unrealistic.

      The proposal says "Before this proposal, there were a lack of security definitions and measures on mirrors within the Arch Linux community" but doesn't explain why. It seems to be in disagreement because of a poorly defined (if any) threat model.

    • Unless you did interviews with existing Tier 1 mirrors to figure out what their stance on this is.

      This is not out of the question to be honest. Unless a survey is too much to ask as well.

      We can rephrase things to say "recommendation" instead, but there are already requirements enacted. And as long as we can figure out a way to make this RFC balanced with equal effort of today - I think that would be the main goal at the moment.

      Which is why we extracted data, to make sure that the things we can measure, is taken care of. For instance bandwidth limit, size requirements etc.

      The "feeling of too much effort" is harder, the only thing we can do is put ourselves in the shoes of the mirror operators. And ask ourselves, "would this be too much for us as well?".

      So lets eliminate "those feelings" from the RFC by rephrasing things, or cutting things out. But lets not do it "just because" before we've bounced some ideas around of:

      1. What causes those kinds of concerns
      2. Are the better options for those concerns
      3. Would we lose less than 1% of mirrors - if so does the benefit outweigh the outcome (as an example of a realistic conversation that could occur, if we don't wanna loose a single mirror, then that's the choice we'll make)

      Currently I don't even have a concept of what those concerns are tho, other than, there are concerns. So it's hard to have a discussion around it. Is TLS one such concern?

      You don't need either. Gitlab is perfectly fine for this.

      Unless they use e-mail to 'mirrors@archlinux.org` to create a ticket for changes to their mirrors, or e-mail us directly (sure, we could ask them to not do that i guess).

      The proposal still fails to describe the threat model

      I am pretty convinced we've described it here in the comment section tho. Would adding this comment in refined form help justify the threat model?

      Everything else is the unreasonable part.

      Everything is quite a lot heh, re-write the entire thing?

      Are these topics not reasonable:

      • "Active monitoring of tagged GitLab issues"
      • (optional) “Service JSON manifest”
      • "A new way of verifying (continued) ownership of a mirror domain is hereby proposed."
      • "Provide (rootless) container based images for different tiers" (to make it easier for mirror operators to get going)

      I can agree that the how can be considered unreasonable, but "everything" being unreasonable is quite a lot to deal with to be honest hehe.

      Edited by Anton Hvornum
    • Would we lose less than 1% of mirrors

      Simply judging from the comments, my hunch is that arch linux can lose 30%-50% T1 mirrors, much more for T2.

    • Please register or sign in to reply
  • 44 Depending on your mirror tier and mirror configuration, your mirror might be lowered or upgraded on the new tiering scheme. The transition period will be adequate.
    45
    46 Timeline
    47 --------
    48
    49 | 3 months notice period of change | 3 months migration/grace period | 2 months clean-up phase |
    50
    51 Suggested start date for these changes is 2024-05-01.
    52 This would mean that the clean up phase would start at somewhere around December ideally.
    53
    54 Specification
    55 -------------
    56
    57 Decomission procedure
    58 ^^^^^^^^^^^^^^^^^^^^^
    59 The decomission of a mirror should be announced with proper tooling. In addition to the described process in RFC !29, the decomission process would also start if the signature checks would fail repetiatedly.
  • 15
    16 Before this proposal, there were a lack of security definitions and measures on mirrors within the Arch Linux community. This RFC therefore outlines the requirements, definitions and guidelines surrounding not only hardening but also maintaining proper security of a mirror.
    17
    18 Motivation
    19 ----------
    20
    21 At the current moment we have no means of security within the mirror infrastructure. We can neither proof ownership, track ownership changes or flag breaches. Current security model relies solely on package validation on pacman. Other security aspects like data privacy, availability of the supply chain are not taken care of.
    22
    23 This RFC aims to introduce security awareness where there are none yet. We are fully aware that some attack vectors still remain availible. The security measures would mostly if not all be supported by proper tooling like `mirrorctl`_.
    24
    25 The RFC introduces the concept of mirror ownerships and a process of validation by means of cryptographic signature. We also discuss the notion of having sane security defaults.
    26
    27
    28 This excludes ISOs which are hosted on the mirrors.
    29
    30 This RFC complements RFC !29.
  • 124
    125 The main drawback would be that old mirrors might not updated to the proposed changes. The RFC has taken this into account and it produces no unwanted results other than old mirrors not supporting new features.
    126
    127 It would require some more maintenance from Arch Linux staff, specifically the devops team. However, the added workload is considered to be less than or equal to that of the current `mirror administrators`_.
    128
    129 Unresolved Questions
    130 --------------------
    131
    132 No outstanding questions, see RFC !29.
    133
    134 Alternatives Considered
    135 -----------------------
    136
    137 Alternative discussions was not mentioned in the `Arch Summit 2023`_ as the conclusion was that this is a good step forward.
    138
    139
  • David Runge
    David Runge @dvzrv started a thread on the diff
  • 49 | 3 months notice period of change | 3 months migration/grace period | 2 months clean-up phase |
    50
    51 Suggested start date for these changes is 2024-05-01.
    52 This would mean that the clean up phase would start at somewhere around December ideally.
    53
    54 Specification
    55 -------------
    56
    57 Decomission procedure
    58 ^^^^^^^^^^^^^^^^^^^^^
    59 The decomission of a mirror should be announced with proper tooling. In addition to the described process in RFC !29, the decomission process would also start if the signature checks would fail repetiatedly.
    60
    61 - Tier 1 and 2 mirrors will have 6 months to secure their servers, which can be extended if the procedure might take a longer time.
    62 - Tier 3 mirrors will have 12 months to transition to the new specification.
    63
    64 In case of missing the grace period, additional warnings will be sent out which are then followed by removal from the official mirror list. Tier1 and Tier2 mirrors that don't follow the spec within the grace period will be downgraded to one level below after two attempts of contact without response over a period of two months. The new requirements will first be enacted only on **new** mirrors.
    • Contributor

      The new requirements will first be enacted only on new mirrors.

      What does this mean? How would decommissioning be done on mirrors that are not new/ do not exist? Is this relevant information? If so, maybe it should be at the beginning of the section.

    • The idea was to not force requirements on existing mirrors, as they had no chance to agree on the requirements. But we'll attempt to convert existing mirrors to the new requirements.

      But we also want to give leeway wherever needed, at the mirror admins discretion. Considering some mirror regions have different pre-existing conditions such as average speed in that region etc.

      Perhaps we can emphasise this better, as it becomes more and more clear that the message we want to get across can still be interpreted in a variety of personal ways.

      @wahrwolf & @pitastrudl - note for next meeting.

      Edited by Anton Hvornum
    • Please register or sign in to reply
  • 42 Mirrors will be allowed a certain grace period until they might be considered for the decommission process. These criteria changes depending on the tier levels the mirror might be.
    43
    44 Depending on your mirror tier and mirror configuration, your mirror might be lowered or upgraded on the new tiering scheme. The transition period will be adequate.
    45
    46 Timeline
    47 --------
    48
    49 | 3 months notice period of change | 3 months migration/grace period | 2 months clean-up phase |
    50
    51 Suggested start date for these changes is 2024-05-01.
    52 This would mean that the clean up phase would start at somewhere around December ideally.
    53
    54 Specification
    55 -------------
    56
    57 Decomission procedure
  • 8 =================
    9
    10 - Date proposed: 2024-03-28
    11 - RFC MR: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/35/
    12
    13 Summary
    14 -------
    15
    16 Before this proposal, there were a lack of security definitions and measures on mirrors within the Arch Linux community. This RFC therefore outlines the requirements, definitions and guidelines surrounding not only hardening but also maintaining proper security of a mirror.
    17
    18 Motivation
    19 ----------
    20
    21 At the current moment we have no means of security within the mirror infrastructure. We can neither proof ownership, track ownership changes or flag breaches. Current security model relies solely on package validation on pacman. Other security aspects like data privacy, availability of the supply chain are not taken care of.
    22
    23 This RFC aims to introduce security awareness where there are none yet. We are fully aware that some attack vectors still remain availible. The security measures would mostly if not all be supported by proper tooling like `mirrorctl`_.
  • 51 Suggested start date for these changes is 2024-05-01.
    52 This would mean that the clean up phase would start at somewhere around December ideally.
    53
    54 Specification
    55 -------------
    56
    57 Decomission procedure
    58 ^^^^^^^^^^^^^^^^^^^^^
    59 The decomission of a mirror should be announced with proper tooling. In addition to the described process in RFC !29, the decomission process would also start if the signature checks would fail repetiatedly.
    60
    61 - Tier 1 and 2 mirrors will have 6 months to secure their servers, which can be extended if the procedure might take a longer time.
    62 - Tier 3 mirrors will have 12 months to transition to the new specification.
    63
    64 In case of missing the grace period, additional warnings will be sent out which are then followed by removal from the official mirror list. Tier1 and Tier2 mirrors that don't follow the spec within the grace period will be downgraded to one level below after two attempts of contact without response over a period of two months. The new requirements will first be enacted only on **new** mirrors.
    65
    66 Recommendation and Requirements for different mirror types
  • 54 Specification
    55 -------------
    56
    57 Decomission procedure
    58 ^^^^^^^^^^^^^^^^^^^^^
    59 The decomission of a mirror should be announced with proper tooling. In addition to the described process in RFC !29, the decomission process would also start if the signature checks would fail repetiatedly.
    60
    61 - Tier 1 and 2 mirrors will have 6 months to secure their servers, which can be extended if the procedure might take a longer time.
    62 - Tier 3 mirrors will have 12 months to transition to the new specification.
    63
    64 In case of missing the grace period, additional warnings will be sent out which are then followed by removal from the official mirror list. Tier1 and Tier2 mirrors that don't follow the spec within the grace period will be downgraded to one level below after two attempts of contact without response over a period of two months. The new requirements will first be enacted only on **new** mirrors.
    65
    66 Recommendation and Requirements for different mirror types
    67 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    68
    69 For mirror definitions please refer to RFC !29.
  • David Runge
    David Runge @dvzrv started a thread on the diff
  • 91 Validation of Ownership
    92 ^^^^^^^^^^^^^^^^^^^^^^^
    93
    94 A new way of verifying *(continued)* ownership of a mirror domain is hereby proposed. This is primarily to combat `domain hijacking`_.
    95
    96 The mirror operator(s) must first submit an OpenSSL supported public key under their `GitLab`_ account. After the key is submitted the proposed workflow looks like this:
    97
    98 1. With the private key sign the contents of ``updatetime`` appended with a semicolon ``;`` and the `FQDN`_ of the mirrors domain, example: `1700471141;ftp.lysator.liu.se`
    99 2. Arch Linux then validates the mirror continuously
    100
    101 Mirrors are then automatically hidden if signatures or content is considered invalid. This can also be managed via ``mirrorctl``.
    102
    103 Arch Linux commitment
    104 ^^^^^^^^^^^^^^^^^^^^^
    105
    106 - Provide *(rootless)* container based images for different tiers *(with docker-compose)*
    • Contributor

      Wouldn't rootless imply not using docker?

    • Providing container images is orthogonal to using management tools like docker-compose and providing config files for those. While both might be useful in practice, they should be described as separate things. Or even better, the commitment should be generic without needlessly referring to specific tools. The motivation section even promises to define "Arch Linux commitment towards community in improving security goals".

    • Please register or sign in to reply
  • David Runge
    David Runge @dvzrv started a thread on the diff
  • 79 - HTTPS TLS1.2+
    80
    81 Tier 2 Recommendations
    82
    83 - Signed ``domain``+``lastupdate``
    84 - “Service JSON manifest”
    85
    86 Tier 3 Requirements
    87
    88 - HTTPS TLS1.2+
    89
    90
    91 Validation of Ownership
    92 ^^^^^^^^^^^^^^^^^^^^^^^
    93
    94 A new way of verifying *(continued)* ownership of a mirror domain is hereby proposed. This is primarily to combat `domain hijacking`_.
    • Contributor

      I'm wondering whether what you are referring to as "domain hijacking" is actually guarded against at all, following the linked to Wikipedia definition:

      Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.

      IIUC, what is proposed in this section is tooling, that is supposed to (automatically) sign a token file, which is used to evaluate when a given host has last synced. This means, that mirrorctl has to be used in an automated fashion on that host (as a post action to syncing). In consequence an attacker has access to these key material used to sign the token file and can sign anything they want.

      When it comes to actual "domain hijacking" I think what you would want to have is a proof in the domain records that you can validate or something like that.

      As is, this section appears to conflate two topics.

    • Please register or sign in to reply
  • David Runge
    David Runge @dvzrv started a thread on the diff
  • 83 - Signed ``domain``+``lastupdate``
    84 - “Service JSON manifest”
    85
    86 Tier 3 Requirements
    87
    88 - HTTPS TLS1.2+
    89
    90
    91 Validation of Ownership
    92 ^^^^^^^^^^^^^^^^^^^^^^^
    93
    94 A new way of verifying *(continued)* ownership of a mirror domain is hereby proposed. This is primarily to combat `domain hijacking`_.
    95
    96 The mirror operator(s) must first submit an OpenSSL supported public key under their `GitLab`_ account. After the key is submitted the proposed workflow looks like this:
    97
    98 1. With the private key sign the contents of ``updatetime`` appended with a semicolon ``;`` and the `FQDN`_ of the mirrors domain, example: `1700471141;ftp.lysator.liu.se`
    • Contributor

      From what I know, our largest issue with mirror security (or rather the payloads on those mirrors) at this point in time is, that we do not sign the repository sync databases.

      How does cryptographic proof of the sync process improve on this, if an attacker can alter the repository sync database after a (signed) sync? More specifically: Which attack vector does this cryptographic proof improve upon?

    • Please register or sign in to reply
  • 99 2. Arch Linux then validates the mirror continuously
    100
    101 Mirrors are then automatically hidden if signatures or content is considered invalid. This can also be managed via ``mirrorctl``.
    102
    103 Arch Linux commitment
    104 ^^^^^^^^^^^^^^^^^^^^^
    105
    106 - Provide *(rootless)* container based images for different tiers *(with docker-compose)*
    107
    108
    109 Mirror Tooling
    110 ^^^^^^^^^^^^^^
    111
    112 To facilitate the changes outlined in this RFC, tooling would not only be beneficial but crucial for managing things going forward. To preface, all features workflows of ``mirrorctl`` should also be possible to do manually from the mirror administrators.
    113
    114 This RFC in combination with RFC !29 proposes a tool called ``mirrorctl`` which should have at least the following features:
    • Contributor
      Suggested change
      114 This RFC in combination with RFC !29 proposes a tool called ``mirrorctl`` which should have at least the following features:
      114 This RFC in combination with `RFC 0029`_ proposes a tool called ``mirrorctl`` which should have at least the following features:

      I think this section should come before explaining what to do with it.

    • Anton Hvornum changed this line in version 7 of the diff

      changed this line in version 7 of the diff

    • Please register or sign in to reply
  • David Runge
    David Runge @dvzrv started a thread on the diff
  • 101 Mirrors are then automatically hidden if signatures or content is considered invalid. This can also be managed via ``mirrorctl``.
    102
    103 Arch Linux commitment
    104 ^^^^^^^^^^^^^^^^^^^^^
    105
    106 - Provide *(rootless)* container based images for different tiers *(with docker-compose)*
    107
    108
    109 Mirror Tooling
    110 ^^^^^^^^^^^^^^
    111
    112 To facilitate the changes outlined in this RFC, tooling would not only be beneficial but crucial for managing things going forward. To preface, all features workflows of ``mirrorctl`` should also be possible to do manually from the mirror administrators.
    113
    114 This RFC in combination with RFC !29 proposes a tool called ``mirrorctl`` which should have at least the following features:
    115
    116 - Handle signing of proof-of-domain-ownership
  • David Runge
    David Runge @dvzrv started a thread on the diff
  • 110 ^^^^^^^^^^^^^^
    111
    112 To facilitate the changes outlined in this RFC, tooling would not only be beneficial but crucial for managing things going forward. To preface, all features workflows of ``mirrorctl`` should also be possible to do manually from the mirror administrators.
    113
    114 This RFC in combination with RFC !29 proposes a tool called ``mirrorctl`` which should have at least the following features:
    115
    116 - Handle signing of proof-of-domain-ownership
    117
    118 Container images for setting up a mirror should be separated into the different responsibilities. And should if possible be rootless, for instance via `podman`_.
    119
    120 Drawbacks
    121 ---------
    122
    123 The potential added workload should be offset by better tooling to make mirror operators life easier from a security standpoint.
    124
    125 The main drawback would be that old mirrors might not updated to the proposed changes. The RFC has taken this into account and it produces no unwanted results other than old mirrors not supporting new features.
    • Contributor

      The RFC has taken this into account and it produces no unwanted results other than old mirrors not supporting new features.

      Doesn't !35 (diffs) argue for decommissioning of mirrors not in line with these specs? :thinking:

    • Please register or sign in to reply
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Please register or sign in to reply
    Loading