Date: Wed, 30 Jun 2004 22:08:23 -0500 From: linuxpackages.net To: Roy Keene Subject: Packages and mirror I sent this email a few days ago and never received an answer. And then today you submit packages to the site with that host. And on top of that you have added your own directory to the mirror. There is no way we can accept packages until you remove the mirror. The security implications alone are huge with what you have done. Putting your directory in the mirror makes it look like your packages have been approved and are hosted on our site. Read the below email and please decide what option you would like to take. The packages will remain in the cue until we get word on which way you wish to go. Hello, A current search has produced the site http://slackware.rm-f.net. This site is currently mirroring packages from Linuxpackages.net. As per the use policy and the motd mirroring of the archive is not authorized unless prior coordination has been made. If the site wishes to become an authorized mirror we can acomidate them and add them to the list of mirrors on the site. As per the use policy unauthorized mirrors may be billed for the bandwidth utilization based on the size of the archive it can also result in null routing at all routers within the control of our network. Mirroring the archive but not making it accessable from Linuxpackages does not help the community but takes away the limited bw we and our authorized mirrors have. Request that coordination be made to either remove the archive and stop mirroring or allow the site to become an authorized mirror for the community. Becoming an authorized mirror helps both parties and the community and could generate additional traffic to your site if that is your wish. To become a mirror we simply need the site to mirror the complete archive and keep the layout as it is on LP and to provide a small graphic for the download page. The site must also use the master server which is only accessable from rsync and not open to the public. We would also need a point of contact and the geographical location of the server. Again if you are interested in trying it out on a temporary basis let us know. Thanks James Simmons Linuxpackages.net --------------------------------------------------------------------------- Date: Thu, 1 Jul 2004 11:03:12 -0500 (CDT) From: Roy Keene To: Linuxpackages.net Subject: Re: Packages and mirror I created my aggregate mirror for several reasons: a) Linuxpackages.net's mirrors are in general slow. b) Linuxpackages.net's mirrors sometimes (often?) have broken PACKAGES.TXT (refer to files that don't exist) breaking my automated upgrades. c) Linuxpackages.net makes it difficult to submit a lot of packages (or any number, really). d) Linuxpackages.net doesn't include Slackware's official packages and patches. e) Linuxpackages.net isn't setup to allow specific subtrees to be specified as a `slapt-get' source. Again, it was intended to be a private mirror -- as far as I know only 5 people used it. I've deleted the indexes for all Linuxpackages.net packages, removed references to linuxpackages.net in my mirror aggregation script, and will soon be deleting the packages from my mirror. My mirror never claimed affiliation with linuxpackages.net and I'm not sure how you consider this a security risk. I would ask that you reject the two packages I have submitted on 30Jun04 at this time. I'm also not sure where you sent your previous email to, but it never reached me. If this response is insuffcient, please let me know. --------------------------------------------------------------------------- Date: Thu, 1 Jul 2004 11:47:04 -0500 From: Linuxpackages.net To: Roy Keene Subject: Re: Packages and mirror On Thursday 01 July 2004 11:03 am, you wrote: > I created my aggregate mirror for several reasons: > a) Linuxpackages.net's mirrors are in general slow. We have added some news ones that should help this out. The two latest ones are on very fast connections so again that should help. The one host is actually the same host that does slackware.at. > b) Linuxpackages.net's mirrors sometimes (often?) have broken > PACKAGES.TXT (refer to files that don't exist) breaking my automated > upgrades. This is the way the file is generated. It will never match the FILELIST.TXT its is a hard system to maintain as dynamic as the site is. I will see if there is a better way to handle this. We have done some new changes but again the upkeep of these files is very manpower intensive. > c) Linuxpackages.net makes it difficult to submit a lot of packages (or > any number, really). It takes all of 3 min to submit a package. Each package has to be handled individually to ensure it is checked against the standards. The system is setup the way it is on purpose. You may create good packages but there are bunches of people that don't. Having to look at a mass submit of packages from someone that does not create them correctly would take away for valuable time. If we see someone that is creating excellent packages and looks like they are going to stay around for awhile we have ways to handle that. We will not just give someone that submits a few packages this kind of access. Most do not stick with it and do a few and disappear forever. I have been looking at 30+ packages a day as it is and having to reject 75% of those and out of those only a couple will get excellent ratings. > d) Linuxpackages.net doesn't include Slackware's official packages and > patches. No we never have there are plenty of mirrors for that. > e) Linuxpackages.net isn't setup to allow specific subtrees to be > specified as a `slapt-get' source. Yes you have a choice the main archive or a few of the power packages such as Robert. When someone get to a certain point and show they are going to stick around we allow them direct access to post the packages and they can create the support files if they wish. I think Robert is the only one that does this at this time. Again our main purpose is not to be there for swaret or slapt-get or any other package tools. Those are a secondary thing for us and is provided as an additional service but not the main purpose. Using those tools to update without first seeing what may have been posted about the package on the site will result in issues most of the time anyway. And having those do automatic upgrades is like playing with a gun. > > Again, it was intended to be a private mirror -- as far as I know only 5 > people used it. It shows up in google and also was reported to us by other people searching the net and is publicly accessable. The reports also had concerns about security. > > I've deleted the indexes for all Linuxpackages.net packages, removed > references to linuxpackages.net in my mirror aggregation script, and will > soon be deleting the packages from my mirror. That is fine and acceptable. If you want to keep them as a private mirror for personal use that is fine. > > My mirror never claimed affiliation with linuxpackages.net and I'm not > sure how you consider this a security risk. Well it makes the impression that it is a mirror of our archive. As with anything when you start adding directories and files to a mirror you are no longer mirroring anything but modifying it. It would be the same as adding a new directory to the slackware-10.0 directory and having that posted on the internet for people to download. When MD5 sums on the support files stop matching it can no longer be considered a valid mirror and could contain tainted packages. Some people would assume by the looks of it that it is official when it is not. > > I would ask that you reject the two packages I have submitted on 30Jun04 > at this time. I will delete them now. There is no hard feelings from us, we are just concerned with the security and other issues I outlined in the first email. > > I'm also not sure where you sent your previous email to, but it never > reached me. > > If this response is insuffcient, please let me know. It is fine. > --------------------------------------------------------------------------- Date: Thu, 18 Nov 2004 16:03:32 -0600 (CST) From: Roy Keene To: Linuxpackages.net Subject: Re: Packages and mirror Feel free to mirror my packages on your website. http://slackware.rm-f.net/slackware-10.0/rkeene/ Also, further comments inline below. On Thu, 1 Jul 2004 tg@linuxpackages.net wrote: > On Thursday 01 July 2004 11:03 am, you wrote: > > I created my aggregate mirror for several reasons: > > a) Linuxpackages.net's mirrors are in general slow. > We have added some news ones that should help this out. The two latest ones > are on very fast connections so again that should help. The one host is > actually the same host that does slackware.at. > > > b) Linuxpackages.net's mirrors sometimes (often?) have broken > > PACKAGES.TXT (refer to files that don't exist) breaking my automated > > upgrades. > This is the way the file is generated. It will never match the FILELIST.TXT > its is a hard system to maintain as dynamic as the site is. I will see if > there is a better way to handle this. We have done some new changes but > again the upkeep of these files is very manpower intensive. I've been maintaining a working PACKAGES.TXT file fine, it happens automatically every night by a script, I never do anything for it. I am not sure what your problems were. > > > c) Linuxpackages.net makes it difficult to submit a lot of packages (or > > any number, really). > It takes all of 3 min to submit a package. Each package has to be handled > individually to ensure it is checked against the standards. The system is > setup the way it is on purpose. You may create good packages but there are > bunches of people that don't. Having to look at a mass submit of packages > from someone that does not create them correctly would take away for valuable > time. If we see someone that is creating excellent packages and looks like > they are going to stay around for awhile we have ways to handle that. We > will not just give someone that submits a few packages this kind of access. > Most do not stick with it and do a few and disappear forever. I have been > looking at 30+ packages a day as it is and having to reject 75% of those and > out of those only a couple will get excellent ratings. > I'm up to 193 different software packages packaged. 281 packages in total. archive]# ls -1 *-?rsk.tgz | sed 's@-[0-9].*@@' | sort -u | wc -l 193 archive]# ls -1 *-?rsk.tgz | wc -l 281 > > d) Linuxpackages.net doesn't include Slackware's official packages and > > patches. > No we never have there are plenty of mirrors for that. > > > e) Linuxpackages.net isn't setup to allow specific subtrees to be > > specified as a `slapt-get' source. > Yes you have a choice the main archive or a few of the power packages such as > Robert. When someone get to a certain point and show they are going to stick > around we allow them direct access to post the packages and they can create > the support files if they wish. I think Robert is the only one that does > this at this time. Again our main purpose is not to be there for swaret or > slapt-get or any other package tools. Those are a secondary thing for us and > is provided as an additional service but not the main purpose. Using those > tools to update without first seeing what may have been posted about the > package on the site will result in issues most of the time anyway. And > having those do automatic upgrades is like playing with a gun. > slapt-get is the only reason I've created these packages, and the only reason I maintain the package server. It's a good system, you should be a part of it. > > > > Again, it was intended to be a private mirror -- as far as I know only 5 > > people used it. > It shows up in google and also was reported to us by other people searching > the net and is publicly accessable. The reports also had concerns about > security. > > > > I've deleted the indexes for all Linuxpackages.net packages, removed > > references to linuxpackages.net in my mirror aggregation script, and will > > soon be deleting the packages from my mirror. > That is fine and acceptable. If you want to keep them as a private mirror for > personal use that is fine. > > > > My mirror never claimed affiliation with linuxpackages.net and I'm not > > sure how you consider this a security risk. > Well it makes the impression that it is a mirror of our archive. As with > anything when you start adding directories and files to a mirror you are no > longer mirroring anything but modifying it. It would be the same as adding a > new directory to the slackware-10.0 directory and having that posted on the > internet for people to download. When MD5 sums on the support files stop > matching it can no longer be considered a valid mirror and could contain > tainted packages. Some people would assume by the looks of it that it is > official when it is not. > > > > I would ask that you reject the two packages I have submitted on 30Jun04 > > at this time. > I will delete them now. There is no hard feelings from us, we are just > concerned with the security and other issues I outlined in the first email. > --------------------------------------------------------------------------- Date: Thu, 18 Nov 2004 16:19:47 -0600 (CST) From: Linuxpackages.net To: Roy Keene Subject: Re: Packages and mirror Thanks but we do not mirror untested packages. They must come through the system we have so that they can be checked against the standards of Slackware, Linux and us. If you wish to submit package please use the web site and the web form for this and if they pass we will gladly add them to the site. Thanks for the information though and good luck. Jim > Feel free to mirror my packages on your website. > --------------------------------------------------------------------------- Date: Thu, 18 Nov 2004 16:29:49 -0600 (CST) From: Roy Keene To: Linuxpackages.net> Subject: Re: Packages and mirror According to your calculations it would take me over 9hrs 40min to register the 193 up-to-date packages. I'll pass. Good luck on your site. On Thu, 18 Nov 2004, TG wrote: > Thanks but we do not mirror untested packages. They must come through the > system we have so that they can be checked against the standards of > Slackware, Linux and us. If you wish to submit package please use the web > site and the web form for this and if they pass we will gladly add them to > the site. Thanks for the information though and good luck. > > Jim >