Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
> That's the point. You don't need to configure every
> client. Why would anyone want to?
Good configuration management of the network perhaps? ;->
> And the more correct alternative that allows yum to work
> without configuration would be???
FTP -- that's been stated several times now. The problem
only affects HTTP streams. HTTP is not a well defined
protocol, too generic, too free-form. Things break over it.
Heck, there is an ever sprawling set of APIs for HTTP now --
many incomplete or have various compatibility issues.
Relating this to another thread on security, it's getting to
the point that layer-3/4 firewalls are useless, because
_everything_ is getting exploited over HTTP. So you should
have a dedicated layer-7 gateway for HTTP that _all_ systems
communicate through _explicitly_ by default.
> It is no problem for browsers either way.
Now hold on there! Are you _sure_ about that? It really
depends exactly _what_ is being serviced over HTTP. Plenty
of HTTP services _break_ when transparently proxied.
In fact, in managing a large network, you quickly realize
this when you get support calls from people on subnets that
are doing stupid things. And that's when I get my baseball
bat out. ;->
> What does yum need that browsers don't?
Oh, many, many things. A biggie is that you're transfering
files, typically large files. You can have issues doing such
with web browsers too. One would argue that we're getting to
the point where WebDAV HTTP would be a far better protocol
than just "plain'ole, non-standard HTTP" for file transfers.
> Yes, right *after* there is universal agreement on how to
> auto-configure everything that uses http and ftp to use a
> non-transparent proxy - and the matching code gets added
> everywhere. Meanwhile things that claim to use http should
> work the same way as browsers.
Another alternative would continue to be a local mirror.
That addresses all of the suggestions we've seen lately --
from Torrent-based updates to the issue of transparent
proxies.
In fact, you just gave "the litmus test." If you have so
many systems that adding a proxy line to each of your Linux
systems would be a chore, then you have enough systems that
you should have a _local_ mirror instead of them all hitting
mirror.centos.org.
Let alone that's also "the litmus test" that you should have
a formal configuration management system in place to automate
configuration changes anyway. But don't get me started on
that. ;->
Just another day on the "bitch about what CentOS can't solve"
list.
--
Bryan J. Smith | Sent from Yahoo Mail
mailto:b.j.smith@xxxxxxxx | (please excuse any
http://thebs413.blogspot.com/ | missing headers)
