On Tue, 2005-11-29 at 12:37, Bryan J. Smith wrote:
> > That's the point. You don't need to configure every
> > client. Why would anyone want to?
>
> Good configuration management of the network perhaps? ;->
There are places where you might want to hand-configure
IP addresses too, but DHCP is a lot handier.
> > And the more correct alternative that allows yum to work
> > without configuration would be???
>
> FTP -- that's been stated several times now.
How is that a solution? Proxies are used where you don't
allow direct outbound access. How do you do ftp without
configuring a proxy on every client?
> Relating this to another thread on security, it's getting to
> the point that layer-3/4 firewalls are useless, because
> _everything_ is getting exploited over HTTP. So you should
> have a dedicated layer-7 gateway for HTTP that _all_ systems
> communicate through _explicitly_ by default.
How do you propose this should work without per-box configuration?
> Now hold on there! Are you _sure_ about that? It really
> depends exactly _what_ is being serviced over HTTP. Plenty
> of HTTP services _break_ when transparently proxied.
OK - ftp breaks when you NAT it too - sometimes.
> > Yes, right *after* there is universal agreement on how to
> > auto-configure everything that uses http and ftp to use a
> > non-transparent proxy - and the matching code gets added
> > everywhere. Meanwhile things that claim to use http should
> > work the same way as browsers.
>
> Another alternative would continue to be a local mirror.
Of what?
> That addresses all of the suggestions we've seen lately --
> from Torrent-based updates to the issue of transparent
> proxies.
Yes, just mirror the whole internet locally - or at least
all yummable repositories...
> In fact, you just gave "the litmus test." If you have so
> many systems that adding a proxy line to each of your Linux
> systems would be a chore, then you have enough systems that
> you should have a _local_ mirror instead of them all hitting
> mirror.centos.org.
And all of the fedora repositories, and all the 3rd party
add on repositories, and the k12ltsp variations, and the
ubuntu/debian apt repositories.
> Let alone that's also "the litmus test" that you should have
> a formal configuration management system in place to automate
> configuration changes anyway. But don't get me started on
> that. ;->
It doesn't make sense to cache things unless at least one
person uses it. The point of the internet is that you can
get the latest when you need it, and the point of a cache
is that only one person has to wait.
> Just another day on the "bitch about what CentOS can't solve"
> list.
Yes, CentOS is as much a victim as the other distros on this
point.
--
Les Mikesell
lesmikesell@xxxxxxxxx
