#Debian has been moving more towards the deb.debian.org mirror which is provided by a single CDN company, #Fastly. It works well, but also feeds an enormous amount of #metadata to a single company, and it can be used to track computers and maybe even people. And the privacy policy in effect is unclear. Fastly says the #privacy policy of the "subscriber" applies, but the privacy policy for deb.debian.org is not listed anywhere I could find. Anyone have any insight here?
@eighthave I don’t even know *why* this happened, really. I cannot imagine the mirror scripts/lists take that much effort to maintain. We’ll keep on providing a mirror and keep on only using what little logs there are for looking at faults or unusual usage.
@interpipes @eighthave Well, maintaining a list of geographically diverse, "blessed" mirrors of consistent quality (that is, good enough to have ftp.*.debian.org point at them without having too many users complain) does take a lot of effort, that noone seems to really be interested in sustaining. The Debian System Administrators (the people who maintain the debian.org systems, and on whom the maintenance of the mirror list has fallen "by default") have decided to focus on maintaining the backends for a couple of CDNs for the user-facing services blessed by debian.org instead.
https://mirror-master.debian.org/status/mirror-status.html gives an idea of the breadth of the issue (for instance, look at the random assortment of versions for the sync scripts). That set of monitoring scripts is what's used to generate the list of mirrors that's shipped with the debian-installer.
As for the deb.debian.org fastly config, it's all in git: https://salsa.debian.org/dsa-team/mirror/cdn-fastly/-/blob/master/services/archive.yaml?ref_type=heads
@olasd @interpipes I understand why DSA would make that choice, I'm not faulting them. My goal is to raise awareness of the advantages and disadvantages of each approach, and to increase user privacy. That requires transparency about what happens with the data and metadata, and commitments from any organizations running the mirrors.
