On Sat, Aug 21, 2021 at 10:40:32AM +0200, Wouter Verhelst wrote: > On Fri, Aug 20, 2021 at 07:20:22PM +0000, Jeremy Stanley wrote: > > Yes transparent proxies or overridden DNS lookups could be used to > > direct deb.debian.org and security.debian.org to your alternative > > location, > > I've been thinking for a while that we should bake a feature in apt > whereby a network administrator can indicate somehow that there is a > local apt mirror and that apt should use that one in preference to > deb.debian.org.
This already exists in the form of an avahi service announcement for _apt_proxy._tcp, issued by both squid-deb-proxy and apt-cacher-ng. Literally the only thing needed client-side is installation of squid-deb-proxy-client, which is also available in udeb form implying that d-i already uses it. > This could be useful for both the "I've got a slow uplink and would like > it to not be overwhelmed at the BSP I'm hosting for my Debian friends" > type as well as the "I'm an ISP and I want to provide a mirror to Debian > users so we can reduce our uplink connection a bit" type of situations. It's a great solution for everyone on the same wifi network, if everyone has squid-deb-proxy-client installed then just one person can spawn a proxy and suddenly everyone's caching through them. > However, I've not been able to come up with a scheme which is simple > enough to be doable on a LAN while at the same time be usable by larger > network providers, *and* which can't also be abused by MitM attackers. Isn't the MitM handled by archive signatures etc., hence why http is fine? True I haven't tested this in a large network, since usually configuration management is in place, but apparently mDNS can even traverse routers via Multicast BGP.
signature.asc
Description: PGP signature
