Today, over the day, access to security.debian.org was intermittent as usual in the last few weeks. But this afternoon, things suddenly got much worse. All my cron-apt installations on and behind firewalls began to yell at me that securiy.debian.org was completely unreachable.
But. Wait. I don't know that IP address. I don't know the host name tartini.debian.org.
Once again, the solution was found in Joey's Blog. Apparently, security.debian.org was moved to the new host, and everything is fine.
UPDATE: There has been an Announcement, but not where I would have expected it. The IP address hasn't been mentioned there, though, and that announcement wasn't signed.
UPDATE: There has been one more change to the IP addresses of security.debian.org: It now seems to be round-robin DNS of three hosts. While this is now a real advance compared to the old situation, it has - again - been unannounced to the public. And I get a free trip around my firewalls for the second time in 24 hours. Thanks, guys - I'd surely be twiddling my thumbs otherwise.
I surely am not the only firewall operator who doesn't allow security relevant hosts to connect anywhere via http. So, when security.debian.org's IP changed, my cron-apts wrecked themselves on their own firewalls. Manual intervention was required, which is a feature.
But, oh people, why don't you announce changes like this through the official communication channels, and why don't you do so in advance? A lot of confusion could have been avoided that way.
You might argue that that's what DNS is for, but DNS is still trivially forged, because DNSSEC has not yet developed the broadness of usage that one would wish for. You might argue that one should check Package and Archive Signatures, but Debian stable doesn't have these features yet (or doesn't have them enabled by default).
I am not asking for more elaborate technical measures. I am asking for a courtesy: If you intend to do something which might influence other people's systems, please communicate your intent. Do so through the official channels, and do so in advance. It feels so good to be prepared. Please help.
Courtesy is optional, I know. But I think that Debian should become more friendly. And communication is so easy. Debian wouldn't be here if it weren't for easy communication. All we need to do is communicate.
Display comments as Linear | Threaded
Anonymous on :
hey man keep cool. btw nice sec groundwork.