Am 13.10.2013 um 08:44 schrieb Tollef Fog Heen <tfh...@err.no>:
> The System Administration Team (DSA) are considering moving some of the
> static hosting that Debian currently provides from our infrastructure to
> one or more CDNs. We have received feedback indicating that a broader
> discussion is desired.
> [...]
> We appreciate feedback while we continue our investigation of CDNs.
Although I understand that there will be some benefits of using a CDN, I see
some issues as well:
1) Privacy concerns: Debian would deliver much more data to business companies
than necessary. Keep in mind that personalized data is one of the most valuable
things to data miners. Currently I choose one mirror site to pull my packages
from. I can freely choose that mirror on basis of location, bandwidth, personal
likes or, let's say, privacy reasons because I know that this specific mirror
doesn't log my IPs.
When using a CDN, at least in that way I understood your proposal, I'm not free
to choose anymore. The company running that CDN will obtain all of data like
how many machines are behind a subnet or IP, what kind of machines (intel,
sparc, powerpc, m68k, ...) and might know if I forget to update a machine
(security).
2) Integrity concerns: although Debian uses signed package lists and hashed
packages, using a CDN would raise the chances that there might be attack
vectors by manipulating the traffic. Maybe not be the will of the running
company, but there are other groups that might have interest and the power to
intercept traffic and manipulating it. This is, of course, also true to current
mirror sites, but a centralized CDN will be more convenient to such kind of
attackers.
3) Surveillance concerns: together with 1) and 2) goes this one... Using a CDN
would make it easier to secret services to collect data, because they have a
single point where they can get all wanted data from instead of monitoring
several providers and connections.
4) Dependency concerns: as a project Debian should be as independent as
possible. Using a CDN provider will create a big dependency to a specific
company, although we might be able to shift companies from time to time. Using
multiple CDN providers will mitigate that concern a little bit, but only to a
certain degree. Having too many CDN providers will be as difficult to handle as
now the many FTP mirror donators. So, there's some trade-off anyway.
So, after all my strongest concerns are 1), 2) and 3), of course. I'm not a big
fan of centralized solutions, but more a great friend of de-centralised ones.
Having monocultures is always a bad thing and using large CDNs is driving that
kind of monoculture. Diversity is enrichment and should be chosen whenever
possible.
--
Ciao... // Fon: 0381-2744150
Ingo \X/ http://blog.windfluechter.net
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc
--
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/2a773832-09f2-4adb-9b10-2a554b6dd...@2013.bluespice.org
