Replacement for httpredir in sources.list?

KrunchTime · 2017-08-19 22:38:36

Bearded_Blunder wrote:

Or here's a radical idea, how about having users pick a mirror during setup the way a netinstall does? The code to do it is right in the installer, and the licensing isn't an issue.

Woops...I forgot about that. I do remember that step in the netinstall.

tknomanzr · 2017-08-20 16:35:58

I really want to say that this happens already. Problems arise when you have no valid internet access while installing.
However, there appears to be other ways to fix this than just manually editing the file.

I will leave this here:
How to: Find the fastest apt mirror server for Debian

Sector11 · 2017-08-20 17:19:17

I remember that from the #! Forums.

So I though I'd try it again and I get almost the same list today, missing is the mirror at UBA:

The fastest 10 servers seem to be:

	http://debian.unnoba.edu.ar/debian/
	http://repo.cure.edu.uy/debian/
	http://mirrors.tecnoera.com/debian/
	http://debian.utalca.cl/debian/
	http://alcateia.ufscar.br/debian/
	http://ftp.us.debian.org/debian/
	http://debian.ec.as6453.net/debian/
	http://debian.mirror.constant.com/debian/
	http://ftp.us.debian.org/debian/
	http://ftp.us.debian.org/debian/

Of the hosts tested we choose the fastest valid for HTTP:
        http://debian.unnoba.edu.ar/debian/

Writing sources.list.
sources.list exists, moving to sources.list.1503248012
Done.

Now maybe those top 4 are 'fastest' with "netselect-apt" but having tried this in the past, the most "reliable" for me here in Buenos Airies, are numbers 5, 9 and 10 - strangely enough; all the same:

http://ftp.us.debian.org/debian/

"reliable" for me is best.

That page was written: May 14, 2008 - apt-spy - isn't anymore

Head_on_a_Stick · 2017-08-20 19:10:01

@S11, if that's from a stretch-based system then you should probably install the apt-transport-https package and change to https sources, as outlined in https://deb.debian.org/

That's what we're using in Helium-dev at the moment

I wouldn't dream of using non-https repositories, I even resort to the Danish Arch ones 'cos the UK mirrors are only stinky old http...

Sector11 · 2017-08-20 19:56:39

Using D8 c/w apt-transport-https doesn't seem to do anything. I'll have to check the name page and see what I can do.

johnraff · 2017-08-21 04:01:40

Head_on_a_Stick wrote:

https sources, as outlined in https://deb.debian.org/
That's what we're using in Helium-dev at the moment

Where? The netinstall script just takes whatever sources.list has been put in by debian-installer.
Your How-To uses plain http!

Helium-dev How-To wrote:

debootstrap --components=main,contrib,non-free stretch /mnt http://cdn-aws.deb.debian.org/debian

...
Now add the stretch-updates and Debian Security repositories:

echo -e "deb http://cdn-aws.deb.debian.org/debian stretch-updates main contrib non-fr

While there seems to be some disagreement about how much extra security is provided by https, it certainly won't hurt.
Interesting wiki page about security and Debian packages: https://wiki.debian.org/UntrustedDebs

Head_on_a_Stick · 2017-08-21 06:16:45

johnraff wrote:

Your How-To uses plain http!

Oh my goodness, thank you so much for pointing that out — I must have written the basic notes before the https bee got under my bonnet :8

I will have to go back and test debootstrap with https, I needed to lay down a fresh system anyway.

brontosaurusrex · 2017-08-21 09:57:04

johnraff wrote:

While there seems to be some disagreement about how much extra security is provided by https, it certainly won't hurt.

From what I could understand it should at least hide:
- the rest of the url (practially meaning men-in-the-middle shouldn't know what you are downloading/updating/uploading)
deb.debian.org/scramblejsngfsdjgdjkgkdfjghkdfgd < like this.
- the content of communication (obviously)

Last edited by brontosaurusrex (2017-08-21 10:05:20)

Bearded_Blunder · 2017-08-21 23:20:47

Um, and who cares that you're updating your OS?? As for a man in the middle, I do believe that .deb packages from the repos are signed, kinda tough for that middle man to do anything to them.

I'm struggling to think of any case where the disclosed information would be useful.. Maybe someone targets ads for penguin T-shirts which your adblocker blocks anyhow? And they know you're tunning Linux from the unencrypted stuff anyhow pre TLS.. so not even that.

There are places https is needed, and places it has less to offer, this is one of the latter, it doesn't really hurt, but in this instance it just seems to be adding a drawbolt to a door that already has a good lock.

johnraff · 2017-08-22 02:59:38

^ @B_B please read the link I posted: https://wiki.debian.org/UntrustedDebs

Bearded_Blunder · 2017-08-22 03:18:55

I've read it, for a sensible user, I still don't see much difference, for the others, well *those* are the ones who jump through *all* the hoops to e.g. jailbreak their i-phone and get themselves pwnd. Or add weird repos, or obscure Ubunto PPAs. Because wanting a newer version of nano is EVERYTHING.... After all upstream added the ability to display naked girls behind the text.. or whatever, even though the existing version works PERFECTLY.

There's a limit to how much trouble it's worth taking to prevent users doing stupid shit and educating themselves. If they do daft stuff they might learn, (I have a few times lol). It's a case of which is better for Darwinian selection warning signs "don't step in front of trains", low fences, or 12 (4 metre)foot brick walls...

No matter how "foolproof" you make a system, there's always a better fool.
[opinion]Let people learn the hard way if they won't take advice.[/opinion]

/me not sure what's stopping any bad guy using let's encrypt to set their repo TLS capable anyhow, not like certs cost CASH anymore.

Last edited by Bearded_Blunder (2017-08-22 03:28:16)

brontosaurusrex · 2017-08-22 08:21:16

Bearded_Blunder wrote:

Maybe someone targets ads for penguin T-shirts which your adblocker blocks anyhow?

Yeah I guess it doesn't make much sense, I'd assume this could also be a potential cpu hit for slow/atom-like machines, so from that perspective...

#21 2017-08-19 22:38:36

Re: Replacement for httpredir in sources.list?

#22 2017-08-20 16:35:58

Re: Replacement for httpredir in sources.list?

#23 2017-08-20 17:19:17

Re: Replacement for httpredir in sources.list?

#24 2017-08-20 19:10:01

Re: Replacement for httpredir in sources.list?

#25 2017-08-20 19:56:39

Re: Replacement for httpredir in sources.list?

#26 2017-08-21 04:01:40

Re: Replacement for httpredir in sources.list?

#27 2017-08-21 06:16:45

Re: Replacement for httpredir in sources.list?

#28 2017-08-21 09:57:04

Re: Replacement for httpredir in sources.list?

#29 2017-08-21 23:20:47

Re: Replacement for httpredir in sources.list?

#30 2017-08-22 02:59:38

Re: Replacement for httpredir in sources.list?

#31 2017-08-22 03:18:55

Re: Replacement for httpredir in sources.list?

#32 2017-08-22 08:21:16

Re: Replacement for httpredir in sources.list?

Board footer