From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: Re: Using a CDN or some other mirror? Date: Tue, 11 Dec 2018 17:38:27 +0100 Message-ID: <8736r4hvcs.fsf@roquette.mug.biscuolo.net> References: <20181203154335.10366-1-ludo@gnu.org> <87tvju6145.fsf@gnu.org> <87ftv7l6gy.fsf@gmail.com> <87pnua244k.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40376) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWl3m-0006SM-Cc for guix-devel@gnu.org; Tue, 11 Dec 2018 11:39:03 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWl3i-0000gp-O6 for guix-devel@gnu.org; Tue, 11 Dec 2018 11:39:02 -0500 In-Reply-To: <87pnua244k.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= , Hartmut Goebel Cc: guix-devel@gnu.org, 33600@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all, my two cents... (I can't still help with a public cache, I hope soon...) Ludovic Court=C3=A8s writes: [...] >> TL;DR: A CDN is a centralized infrastructure, allowing to collect >> information about valuable vulnerability information of almost all >> Guix-users and -systems. This is might become a thread to freedom of >> speech, human rights, democracy and economics. Guix should build on a >> decentralized infrastructure. I completely agree with you, decentralization is the solution unfortunately the **only functioning** way is to avoid current Internet, since it's broken (https://youbroketheinternet.org/); I see GuixSD as an integral part of The Project Map=E2=84=A2 https://youbroketheinternet.org/m= ap ...but to fix the situation we need a substantial GNUnet(work) effect and for that we _need_ GuixSD substitutes to be easily and quickly downloaded (can we avoid this asking potential adopters to be patient or to build?) maybe we should divide this task in two steps: 1. distributed substitutes: caching servers hosted by a network of friendly institutions and companies donated to GNU/GuixSD, with a haproxy frontend for geolocated load-balancing [1] 2. decentralized substitutes: caching servers on IPFS or better (since it allows complete anonimity) on GNUnet > Heck it would be ironic to find myself arguing in favor of centralized > commercial services. So I won=E2=80=99t do that. :-) I see no problems with commercial services, _unfortunately_ nowadays this *almost* always means centralized silos, usually exploited for global surveillance (since Internet is broken) [...] > The operator of a substitute server (or caching proxy), in general, > knows which IPs downloaded vulnerable software. This is the main > threat. on Internet, and on IPFS? (sorry for the ignorance) on GNUNet filesharing can be completely anonymous, but the performace is degraded (so we need a large network effect here) > This can be mitigated by talking to nearby mirrors and not just > ci.guix.info, a feature we implemented a year ago (see > ), > or by using several substitute servers, or by not using (or not always > using) substitutes. Few distros have all these options. > > We might also be able to somehow balance requests between several CDNs > or mirrors. did someone explored an haproxy (with geolocation) solution? is there a wip-haproxy attempt? [...] HTH Giovanni [1] in the next few weeks I'm going to test an haproxy instance with geolocated ACLs following this directions https:/www.haproxy.com/blog/use-geoip-database-within-haproxy/ =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlwP6AMACgkQ030Op87M ORJmUA/8CxtARpNArscx4wpAFv7NWjeqt4eeVX5NArl4N0rKTTz6TobOKY0TMe7u 5DCMxJWLzxY4U7qrGf0NLOsdA4O9L290JujVJ4UIaTUT4nlibIb4FQjUMF+2C2nD etHTvcNV4A/v0nqiA67NYeT0fqD13l7AMdqnYCg3iPBhWnCFxWNBlAU4uCGq/e43 bUdJ1pqlwYfUGg6vxKZAiun6FIUFWnGDAU46ewTxKzE8z4MEalB5tvWeRRIQwvu9 Y7LCyn2+9UjuthkWeYyawNil82z3DwgHJVk8OtBMjyCeqbXThD3Nj90Ix8EVo9NV LDwhqHVchomzDjXj/aRybdRwTRQuQxvwQsGhRXnm2WghWOjsbQ7X92fATIGZtmV3 Em0NzqvMfN6VUeuNqBWywtvUbJE91jjRQvqEW7YEsmA1tsf2JuwcdWWF0Lc5VA7n hbWzUHKLEvT1YOZB5oslOCCZDvFHIMMMgFrP1NaddF+kASm9ha5WxfEi4pYS3wgs Rk/Vz9vVE9JGZti42Za24RIKv7Ff0+2AJ+/8lUHKSKSTIQdlYd092rPQ4HeF11jo hFn0XNoHjX5lnOGLyk/rAgEaf8GvfsuPQD8p7m3tz5LLPiIkxBwEe1iZO8VPHD3F 2iG7Kv2gRcreZMAxPAD/m0ArW97OLU5WMeHkShvv1dk1/nD/ny8= =WG9l -----END PGP SIGNATURE----- --=-=-=-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:40808) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gWl4p-0007ML-CH for guix-patches@gnu.org; Tue, 11 Dec 2018 11:40:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gWl4l-0001VK-Ls for guix-patches@gnu.org; Tue, 11 Dec 2018 11:40:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:39835) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gWl4k-0001UW-SG for guix-patches@gnu.org; Tue, 11 Dec 2018 11:40:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gWl4k-0008Ib-LZ for guix-patches@gnu.org; Tue, 11 Dec 2018 11:40:02 -0500 Subject: [bug#33600] Using a CDN or some other mirror? Resent-Message-ID: From: Giovanni Biscuolo In-Reply-To: <87pnua244k.fsf@gnu.org> References: <20181203154335.10366-1-ludo@gnu.org> <87tvju6145.fsf@gnu.org> <87ftv7l6gy.fsf@gmail.com> <87pnua244k.fsf@gnu.org> Date: Tue, 11 Dec 2018 17:38:27 +0100 Message-ID: <8736r4hvcs.fsf@roquette.mug.biscuolo.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , Hartmut Goebel Cc: guix-devel@gnu.org, 33600@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all, my two cents... (I can't still help with a public cache, I hope soon...) Ludovic Court=C3=A8s writes: [...] >> TL;DR: A CDN is a centralized infrastructure, allowing to collect >> information about valuable vulnerability information of almost all >> Guix-users and -systems. This is might become a thread to freedom of >> speech, human rights, democracy and economics. Guix should build on a >> decentralized infrastructure. I completely agree with you, decentralization is the solution unfortunately the **only functioning** way is to avoid current Internet, since it's broken (https://youbroketheinternet.org/); I see GuixSD as an integral part of The Project Map=E2=84=A2 https://youbroketheinternet.org/m= ap ...but to fix the situation we need a substantial GNUnet(work) effect and for that we _need_ GuixSD substitutes to be easily and quickly downloaded (can we avoid this asking potential adopters to be patient or to build?) maybe we should divide this task in two steps: 1. distributed substitutes: caching servers hosted by a network of friendly institutions and companies donated to GNU/GuixSD, with a haproxy frontend for geolocated load-balancing [1] 2. decentralized substitutes: caching servers on IPFS or better (since it allows complete anonimity) on GNUnet > Heck it would be ironic to find myself arguing in favor of centralized > commercial services. So I won=E2=80=99t do that. :-) I see no problems with commercial services, _unfortunately_ nowadays this *almost* always means centralized silos, usually exploited for global surveillance (since Internet is broken) [...] > The operator of a substitute server (or caching proxy), in general, > knows which IPs downloaded vulnerable software. This is the main > threat. on Internet, and on IPFS? (sorry for the ignorance) on GNUNet filesharing can be completely anonymous, but the performace is degraded (so we need a large network effect here) > This can be mitigated by talking to nearby mirrors and not just > ci.guix.info, a feature we implemented a year ago (see > ), > or by using several substitute servers, or by not using (or not always > using) substitutes. Few distros have all these options. > > We might also be able to somehow balance requests between several CDNs > or mirrors. did someone explored an haproxy (with geolocation) solution? is there a wip-haproxy attempt? [...] HTH Giovanni [1] in the next few weeks I'm going to test an haproxy instance with geolocated ACLs following this directions https:/www.haproxy.com/blog/use-geoip-database-within-haproxy/ =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlwP6AMACgkQ030Op87M ORJmUA/8CxtARpNArscx4wpAFv7NWjeqt4eeVX5NArl4N0rKTTz6TobOKY0TMe7u 5DCMxJWLzxY4U7qrGf0NLOsdA4O9L290JujVJ4UIaTUT4nlibIb4FQjUMF+2C2nD etHTvcNV4A/v0nqiA67NYeT0fqD13l7AMdqnYCg3iPBhWnCFxWNBlAU4uCGq/e43 bUdJ1pqlwYfUGg6vxKZAiun6FIUFWnGDAU46ewTxKzE8z4MEalB5tvWeRRIQwvu9 Y7LCyn2+9UjuthkWeYyawNil82z3DwgHJVk8OtBMjyCeqbXThD3Nj90Ix8EVo9NV LDwhqHVchomzDjXj/aRybdRwTRQuQxvwQsGhRXnm2WghWOjsbQ7X92fATIGZtmV3 Em0NzqvMfN6VUeuNqBWywtvUbJE91jjRQvqEW7YEsmA1tsf2JuwcdWWF0Lc5VA7n hbWzUHKLEvT1YOZB5oslOCCZDvFHIMMMgFrP1NaddF+kASm9ha5WxfEi4pYS3wgs Rk/Vz9vVE9JGZti42Za24RIKv7Ff0+2AJ+/8lUHKSKSTIQdlYd092rPQ4HeF11jo hFn0XNoHjX5lnOGLyk/rAgEaf8GvfsuPQD8p7m3tz5LLPiIkxBwEe1iZO8VPHD3F 2iG7Kv2gRcreZMAxPAD/m0ArW97OLU5WMeHkShvv1dk1/nD/ny8= =WG9l -----END PGP SIGNATURE----- --=-=-=--