Dan Mahoney <dmahoney@isc.org> wrote:
All,
ISC is the operator of the F-root DNS server as well as the makers of >>BIND, ISC DHCP, Kea, as well as historic other pieces of software. We
also have had a long relationship with the team that makes INN. For >>largely historical reasons, ISC also works with those same authors to >>publish a canonical list of newsgroups over at ftp.isc.org.
However, as ISC also offers support contracts for BIND and Kea, and
those customers have their own due diligence policies, we are often
subject to scrutiny and audits about how our network runs, and even
for a venerable URL like ftp.isc.org, we get questions from auditors
like "did you know you have a public FTP server on your network!
Why!?"
It saddens me that people who should know better think that the mere existence of the FTP server potentially compromises security on other
hosts in the network.
I'm sorry you were pressured here.
. . .
Ergo, it seems to be a simple enough matter to tell people who fetch
those usenet control files via anonymous FTP to simply switch to
HTTPS. As a benefit, this also allows us to use the CDN provider we >>already use for downloads.isc.org. The url would remain ftp.isc.org,
and the pathing would remain the same. We'd still sync the data from
Russ as we already do).
Switching to https is not so simple. Those of us who use it regularly
want to see directory listings. I get these automatically using an ftp
client but not when I use a browser. With a browser, subdirectories
are listed but Russ's README is not (I think there are three of them).
Every single directory, then, requires a frequently regenerated
index.html file that's literally a directory listing, both files and subdirectories.
We do not have a specific date yet (this depends on specific feedback
from the community), but on the order of a month or two sounds
reasonable. If any software, such as INN, ships with the "ftp"
protocol baked-in, this gives enough time for people to put out new >>releases and docs that point at the change, or at least add the change
to their README's, and the like.
If/when this happens I'd likely also make a quick post to a few other >>network operator places, and suggestions as to where to do so are
welcome.
If there are objections or considerations, please feel free to reply
here or contact me directly.
I don't think there is a problem to solve, but it's too late for the
pebbles to vote. I sort of expected this to happen years ago.
Hi all,
In addition to my previous message:
B/ If actsyncd is used with the following actsync.cfg parameters:
-a host=ftp.isc.org
-a ftppath=/pub/usenet/CONFIG/active.gz
Then there is something to change.-a Here are some possibilities.
1/ The fastest would be to keep FTP but against another server which
would go on providing up to date active files on FTP.-a I don't know
whether there are.-a If you know one, just update host and ftppath
accordingly.
The good news is that the Free University of Berlin still has an FTP
server, and they now get the newsgroups information from the same source
as ftp.isc.org takes theirs (that is to say control-archive maintained
by Russ). So, if and when ftp.isc.org closes as an FTP server, changing actsync.cfg to:
host=ftp.fu-berlin.de
ftppath=/doc/usenet/config/active.gz
will go on synchronizing the data using the FTP protocol.
Thanks, Heiko and Russ!
2/ You can install a version of INN generated after 2024-10-07 (INN
2.7.3, snapshot, etc.).-a Then just update your installation and change
the above parameters in actsync.cfg to:
-a host=downloads.isc.org
-a path=/pub/usenet/CONFIG/active.gz
-a protocol=https
Switching to HTTPS is also still possible of course.
Note that we don't know how much time the FTP protocol will remain
active in the server of the Free University of Berlin. There's no
lifetime guarantee.
At least actsyncd can now deal with both FTP and HTTPS so it will be
ready in case FTP is also shut down on other servers. By the time it happens, I hope the new version will be wide-spread.
| Sysop: | Amessyroom |
|---|---|
| Location: | Fayetteville, NC |
| Users: | 59 |
| Nodes: | 6 (0 / 6) |
| Uptime: | 05:52:05 |
| Calls: | 810 |
| Files: | 1,287 |
| D/L today: |
7 files (10,221K bytes) |
| Messages: | 204,995 |