Is there a need for additional mirrors of the vault? I have enough space to mirror it if there's a need, but I know access to it is restricted. (I've managed to pull in a local copy by pulling from the existing mirrors.)
- J<
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14/04/15 17:54, Jason L Tibbitts III wrote:
Is there a need for additional mirrors of the vault? I have enough space to mirror it if there's a need, but I know access to it is restricted. (I've managed to pull in a local copy by pulling from the existing mirrors.)
- J<
Well, that's a good-and-not-so-easy-to-answer question :-) Actually we have 6 nodes behind vault.centos.org, but two will have to be removed soon (basically lack of disk space when the next release will have to land there). There are also 4 non centos.org nodes that are actually fetching vault content , and those have better bandwidth/machines that we do (reminder : we're using community donated dedicated servers).
I can't speak for those external mirrors, and I have zero view on their bandwidth usage/stats for vault content.
OTOH, I (personally) think that vault is like giving a gun for people to shoot themselves in the foot : using deprecated/unpatched/unsecured/unmaintained packages on a distro is not what I'd consider best practice. There are a *few* corner cases where it can be handy, but those are already mirroring internally those versions, for specific usage, and don't rely on vault.centos.org
- --
Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
On 04/15/2015 01:32 PM, Fabian Arrotin wrote:
OTOH, I (personally) think that vault is like giving a gun for people to shoot themselves in the foot : using deprecated/unpatched/unsecured/unmaintained packages on a distro is not what I'd consider best practice. There are a *few* corner cases where it can be handy, but those are already mirroring internally those versions, for specific usage, and don't rely on vault.centos.org
I would completely agree with you IF vault.centos.org would not (AFAIK) also be the official source for the CentOS Source-RPMS. Which doesn't actually make that much sense - could vault perhaps be split up into something like the real vault and srpms.centos.org? The last one would arguably be more useful than the vault, and not just giving people a gun to shoot themselves with.
On 15/04/15 07:32 AM, Fabian Arrotin wrote:
OTOH, I (personally) think that vault is like giving a gun for people to shoot themselves in the foot : using deprecated/unpatched/unsecured/unmaintained packages on a distro is not what I'd consider best practice. There are a *few* corner cases where it can be handy, but those are already mirroring internally those versions, for specific usage, and don't rely on vault.centos.org
Primary goal for us is preserving for archival and forensic purposes. Every now and again people have a need to compare pristine binaries with those that came from a compromised system -- in which case having something like vault.centos.org is invaluable.
-Konstantin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2015-04-15 13:32, Fabian Arrotin wrote:
There are also 4 non centos.org nodes that are actually fetching vault content , and those have better bandwidth/machines that we do (reminder : we're using community donated dedicated servers).
I can't speak for those external mirrors, and I have zero view on their bandwidth usage/stats for vault content.
We are one of those mirrors. Over the last five months, we have used an average of slightly below 50 Mbit/s, but that is the sum of both vault and the ordinary CentOS (and EPEL, which we are also mirroring). I do have logs from all three protocols (HTTP, FTP and RSYNC), but I don't have any collected statistics of which parts of our mirrors have been accessed how much.
(And the bottleneck is neither our network, nor the server itself. We could easily handle much larger load, if people were just accessing us more. But if the light load we get is representative for what other people get, or if there is something [like geo-IP] that causes us to get so few accesses.)
OTOH, I (personally) think that vault is like giving a gun for people to shoot themselves in the foot : using deprecated/unpatched/unsecured/unmaintained packages on a distro is not what I'd consider best practice. There are a *few* corner cases where it can be handy, but those are already mirroring internally those versions, for specific usage, and don't rely on vault.centos.org
Having access to the source RPMs is very important to us. Both current and historical versions, to be able to see what has actually changed.
Having access to old versions of the binary RPMs is not quite as important (we can usually rebuild them from the source RPMs), but it is definitely convenient to see which versions were used previously and examine them. In some rare cases we may even downgrade. (For example, I think it took almost two months after CentOS 6.6 was released until we found out that IP-over-Infiniband was broken in that kernel; because it didn't actually break until you restarted the subnet manager. For a while we ran a 6.5 kernel with some security fixes from 6.6 backported; now we run a 6.6 kernel with the IPoIB stuff picked from 6.5.)
/Thomas Bellman (mirror.nsc.liu.se)
"FA" == Fabian Arrotin arrfab@centos.org writes:
FA> OTOH, I (personally) think that vault is like giving a gun for FA> people to shoot themselves in the foot : using FA> deprecated/unpatched/unsecured/unmaintained packages on a distro is FA> not what I'd consider best practice.
I agree, but this wasn't about whether people should use the content, it was about whether the project could benefit by having it mirrored. Sounds like the demand for it is low enough that I'll skip it. Which is fine, it gives me more space for other things (even though the vault really isn't that large; currently under 1TB).
Thanks for the info.
- J<
-
Fabian Arrotin -
Jason L Tibbitts III -
Konstantin Ryabitsev -
Michael Meier (FTP Admin) -
Thomas Bellman