1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Performance of security.debian.org?

    From =?utf-8?B?0L3QsNCx?=@21:1/5 to All on Mon Dec 25 16:30:01 2023
    Hi!

    Just now I upgraded firefox-esr on bookworm, from bookworm-security.
    It's 60M, apt showed me ~90kB/s and projected 10 minutes.
    And it did take like 10 minutes.

    Two days ago, apt update projected to take, and took,
    on the same order of time, I think also on security.d.o.
    I gave up and pulled the package off snapshot.d.o,
    so I didn't measure how long it would've taken to download.

    Searching through the archives, I see a note about dropping rsync in
    https://lists.debian.org/debian-mirrors-announce/2019/11/msg00000.html
    which notes that security.d.o is available in HTTP at security.d.o only,
    with mirrors discouraged, and a post about a security-cdn.d.o in
    https://lists.debian.org/debian-user/2018/08/msg01196.html
    though while that user saw a security.d.o -> security-cdn.d.o redirect
    I cannot reproduce this, and I see an identical rate when pulling from security-cdn.d.o, an idential set of headers (two varnishes, two HITs),
    and no redirects.

    The latter links to https://www.debian.org/mirror/ftpmirror#what which says
    The debian-security/ archives contain the security updates released by
    the Debian security team. While it sounds interesting to everyone, we
    do not recommend to our users to use mirrors to obtain security
    updates and instead ask them to directly download them from our
    distributed security.debian.org service. We recommend debian-security
    not be mirrored.

    OTOH, security.d.o points to some fastly-assigned IPs directly whereas security-cdn.d.o is CNAME debian.map.fastlydns.net.

    OTOOH, that mail is the /only/ place I see security-cdn.d.o referenced,
    and https://www.debian.org/security/ doesn't list it as a mirror.
    Well, AFAICT, most debian.org pages consider "the archive" and "mirrors"
    to apply to the main archive only, and security.d.o may as well not
    exist.

    OTOOOH, this is the type of performance I'd expect from downloading
    something off an uncached primary mirror in skibidi, ohio
    (like, in recent memory, ftp.netbsd.org achieving 37.4kB/s
    vs its undocumented cdn.netbsd.org address which, uh. works).

    Conversely, the "distributed" deb.debian.org address which is /also/
    CNAME debian.map.fastlydns.net. yields normal speeds. This had also
    been the case for security.d.o on the order of weeks-and-months back.

    So, to this end:
    is this state expected?
    is this change expected?
    is this performance expected?
    if not, why not mirror security.d.o?

    Thanks,
    наб

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEfWlHToQCjFzAxEFjvP0LAY0mWPEFAmWJnTkACgkQvP0LAY0m WPFUxhAAtt/iTGTBZdBt8HlxFje+n5b71q0/JIs9rPoryKq8SR5LbuoNThTl7NJu hlHAsIB2zABmV8DTzvGQsmiKqa4JidkI5mAH5ZlfhQU3x9ytjMx+l9sqlbcHiZTO PIba3GxPY5dHfq6KBIt9716TaXT8xRx8rhA6TO3H5GV8ZBtqMf8YmVHLl3FX2efq 5zemvhX6TB2SPw0HbJJh9jXtczV+hdKDGalDLJ3v8e+WsNjgLhB1tOvQYNEwg8AI 0Liiw6s2B9DPkqEFTJhWUQAajX5pwjL3dqTEmZNEa7VWWEbYWZXfkOscrHu5ZsPU OpQVjpTjgAgzS1L37vStsqZbdyjFeE4v+4Wump7cSJM2t3aMLHxrHU3pCJi5v0W+ 2lmduPOfDpxPink2K1qNXpF9vcVNHlhpw0kTNixxe4ezQlW9n1Telanp0rBGHlHL WMgKm3Xdi2r+yWlN4JGz4wZTuMewR59PNOY01QuxU5FcnYAtFeyv85B07LAyhuuG hEsQcby+UU9W6PpaBe3kViYR/HgDCBREgAue9SinUKN7QFdBd0/w4hBDe7DmdedX 03cTLhXeowURdjc4CwS1gVVy5aymRqbTrh1moeLzhns8xDmhNK8oy4i2/BaiDgwL qVqFV52mfWq6eEDDE4JKvWksuOdmNee79Olv3eVDXZ/OXAlJYXk=
    =5mmz
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)