From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: Re: CDN performance Date: Thu, 13 Dec 2018 11:41:06 +0100 Message-ID: <878t0thfp9.fsf@roquette.mug.biscuolo.net> References: <20181203154335.10366-1-ludo@gnu.org> <87tvju6145.fsf@gnu.org> <87ftv7l6gy.fsf@gmail.com> <871s6qzo6m.fsf_-_@gnu.org> <87y38tx365.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59898) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXOQw-0002YO-Bn for guix-devel@gnu.org; Thu, 13 Dec 2018 05:41:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXOQs-0007BP-7u for guix-devel@gnu.org; Thu, 13 Dec 2018 05:41:34 -0500 In-Reply-To: <87y38tx365.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Chris Marusich , Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org, 33600@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Chris, nice to see this discussion, IMHO how GuixSD subsitutes are distributed is a key issue in our ecosystem and is _all_ about privacy and metadata *mass* collection most "normal users" are not concerned about this so they are fine with super-centralization since it's a convenience... not us :-) personally I've come to GuixSD because I see this project as a key part in liberating me from this class of problems Chris Marusich writes: [...] > A summary, in the middle of the long thread, is here: > > https://lists.debian.org/debian-project/2013/10/msg00074.html thank you for the reference, I've only read this summary the key part of it IMHO is "Q: Do CDNs raise more security/privacy concerns than our mirrors?" and the related subthread https://lists.debian.org/debian-project/2013/10/msg00033.html the quick reply to the above question is: yes, CDNs raise more secutiry/privacy concerns than "distributed mirrors" obviuosly "distributed mirrors" _does_ rise some security/privacy concerns but *centralization*... much more [...] > Judging by that email thread, one of the reasons why Debian considered > using a CDN was because they felt that the cost, in terms of people > power, of maintaining their own "proto-CDN" infrastructure had grown too > great. I'm still new to guixsd but understood enough to se we are much more well equipped to maintain our distributed network of substitutes caching servers... **transparently** configured :-) [...] > I also understand Hartmut's concerns. The risks he points out are > valid. Because of those risks, even if we make a third-party CDN option > available, some people will choose not to use it. probably I'll be one of those, I'm considering to maintain a caching substitute server in a "semi-trusted" colocated space and I'd be very happy to share that server with the community [...] > However, not everyone shares the same threat model. For example, > although some people choose not to trust substitutes from our build > farm, still others do. for this very reason IMHO we should work towards a network of **very trusted** build farms directly managed and controlled by the GuixSD project sysadmins; if build farms will be able to quickly provide substitutes, caching mirrors will be _much more_ effective than today ... and a network of "automated guix challenge" servers to spot not-reproducible software in GuixSD with a solid infrastructure of "scientifically" trustable build farms, there are no reasons not to trust substitutes servers (this implies working towards 100% reproducibility of GuixSD) > The choice is based on one's own individual > situation. Similarly, if we make a third-party CDN option available and > explain the risks of using it, Guix users will be able to make an > educated decision for themselves about whether or not to use it. that's an option... like a "last resort" in order to be able to use guixSD :-) we could also teach people how to setup their own caching servers and possibly share them with the rest of the local community (possibly with some coordination effort from the project sysadmins) for Milan I've plans to setup such caching mirror in Jan 2019 [...] happy hacking! Gio =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlwSN0MACgkQ030Op87M ORK3kw/+LM9TUQ9jT+6nts+h1cW8e5BVZJgtaDVtLsgjikEqmhos6PBow3D3ylPt Z1t68D9eXQrHFY8lTP8Ml149wokHhGGPWyVgF+pwPdDUjkK+nQy8An9hpfxpM6lV fn0gL/FTAsHS/un970pw2RDy/BaeBhTXPOU9EekveBxjnDBv7nsXqX7nnDhnbRUy BO1pzLNiYSo7+9Op5bsmIiDTJibK9TuVIVMSKAzaHs8WtvuYlqlUH1cQDNtNdEG5 buaXbJyRgvfTlJ7uSm211JSFu46GCfxDh1Rxo0IX4qqh1AybBTAIj2R6inhJgy4R Oni9oTUbc7Fs2xwwn67XVMHx43PSx6gZIQAgr9X898OJM7IogVI476zqwU4B/lwB jsdKunCZNmwugcRO7MNAc0tFTdIw8o6P6hSFe2WS8irhDH+v/3+YGN5lTM336Gux 4yiB3EUxjp91Wjw7Sblz3NipmADjovYUUc8mO56MkuDyQasdBIar4qCCjo4ww7sJ MAJt0PaJWdwu22wbPfWhXMCHZErrcPS7lVy/OUNPOTgAx2s/7rk18i6hNL1awhFi DCIEDPOKzODyB2g+Pwy1Ormmrr8iEKT5lP8zS4f4byicFrC2cJt+1clggnKN9qw7 y5VyZH0j3In7+ZYFdIhkv7YGGRaKujyUnLc3Bg060eBbnVaTNA8= =jw02 -----END PGP SIGNATURE----- --=-=-=--