Background: I have a couple of Tumbleweed (intel and ARM) machines at work. These are behind the corporate firewall. This firewall scans every file download for viri and the like. If a file is suspect, you don't get it. I have encountered a problem where a couple of openSUSE RPMS look suspicious to this check, and are blocked from download. At least this is what the IT guys feel is happening. The specific files change. But if a file fails, it will always fail. So it is consistent. For example, at the time of this message, this file is not allowed: http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-... Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally. I had thought that I would just grab the files from home, put them on my machine, and all will be fine. The problem is that Tumbleweed is quite active. The files change over the day. So getting the ones that cause the complaint is difficult. When I get back to work, new files may complain. Question: The IT guys have offered to white list a site where the files will be passed through. So I thought I would suggest download.opensuse.org. The problem is that zypper uses mirrors. So the downloads may not actually come from there. I thought I would just specify a local mirror in the URL. Unfortunately, mirrors seem not to mirror everything on download.opensuse.org. So, I thought I might use the mirror URL for the repos that the mirror has. But that leaves the other repos. Like http://download.opensuse.org/update/tumbleweed/, which I do not see on the mirrors I have checked. Is it possible (even though I understand that it is perhaps bad netiquette) to tell zypper to not use a mirror? At least this may allow me to verify that, when white listed, the files from a repo can be obtained. A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi Roger, [...]
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.
wouldn't it be an option for you to create your own internal mirror? Then you could point all your internal SuSE machines to that mirror. Depending on the number of machines this could reduce traffic and - regarding your actual problem - you could mirror from a machine of your choice, which in turn could be whitelisted in the firewall.
-- Roger Oberholtzer
Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke
Hi Roger,
[...]
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.
I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 15.02.2017 12:58, Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke
wrote: A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.
I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.
If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository 2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server. -- Cahn's Axiom: When all else fails, read the instructions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 15, 2017 at 2:14 PM, Andreas Mahel
On 15.02.2017 12:58, Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke
wrote: A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.
I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.
If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository
No problem with that.
2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.
That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list. I can't help but think that the mirror activity may be more work against download.opensuse.org than my occasional updates... -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 14:25 +0100, Roger Oberholtzer escribió:
That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list.
No, I think the new files are "pushed" to the mirrors. It would be very bad form to pull from the internal opensuse server. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikWJcACgkQja8UbcUWM1wsHgD9GNTVhfstegQaUluVmeoe0puw rVgfK8e6/cVhuBY5ZAwA/jgBzc9uEwUC42fIXwr2c/sTdk19gUUNcI4i67G9yhM9 =VCVA -----END PGP SIGNATURE-----
Hi Roger, [...]
2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.
That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list.
I can't help but think that the mirror activity may be more work against download.opensuse.org than my occasional updates...
this might be, but you can definitely avoid your problem with the firewall scanner by using exactly one external server - or maybe two, if you need packages from more than one server.
-- Roger Oberholtzer
Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 2:14 PM, Andreas Mahel
wrote: On 15.02.2017 12:58, Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke
wrote: A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.
I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.
If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository
No problem with that.
2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.
That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list.
I can't help but think that the mirror activity may be more work against download.opensuse.org than my occasional updates...
Private and public mirrors are run from different servers, not from download.opensuse.org. -- Per Jessen, Zürich (3.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi,
On 15.02.2017 12:58, Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke
wrote: A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.
I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.
If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository 2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.
this was exactly my intention. And this is, what I'm doing here. Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 09:05 +0100, Roger Oberholtzer escribió: ...
I had thought that I would just grab the files from home, put them on my machine, and all will be fine. The problem is that Tumbleweed is quite active. The files change over the day. So getting the ones that cause the complaint is difficult. When I get back to work, new files may complain.
Don't use tumbleweed... :-P
Question:
The IT guys have offered to white list a site where the files will be passed through. So I thought I would suggest download.opensuse.org. The problem is that zypper uses mirrors. So the downloads may not actually come from there. I thought I would just specify a local mirror in the URL.
Unfortunately, mirrors seem not to mirror everything on download.opensuse.org. So, I thought I might use the mirror URL for the repos that the mirror has. But that leaves the other repos. Like http://download.opensuse.org/update/tumbleweed/, which I do not see on the mirrors I have checked.
It would be a question of locating a mirror that contains all you need, or some mirrors.
Is it possible (even though I understand that it is perhaps bad netiquette) to tell zypper to not use a mirror? At least this may allow me to verify that, when white listed, the files from a repo can be obtained.
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.
The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server. Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikV/sACgkQja8UbcUWM1wAZwEAiViOZjWK0pD1sRwlr9VpD8/g /lt8HfxjFzV0TyVw8REA+gPyB+Ut7gdBWbnHRokIZcx+zaF9W5p9X7UmHk6gKicc =lEP5 -----END PGP SIGNATURE-----
On Wed, Feb 15, 2017 at 2:30 PM, Carlos E. R.
The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server.
Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN.
I have had a machine in the DMZ. It provided a few services. This is a tricky machine in that the IT guys have an external company that tries to exploit things that are exposed. They are ruthless. I have been trying to minimize the things this machine does to the bare minimum so that there is less for them to complain about. I don't really want to have it become a mirror. I guess that would also mean that folks in the area would perhaps be sent here for their files. I'm not sure if that would be popular. Our IT guys are a paranoid lot. Of course, they have chosen Windows as the infrastructure... I had guessed that the mirror redirection was done as you described. Too bad the mirror is not opaque and that the local system still just sees download.opensuse.org. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 14:56 +0100, Roger Oberholtzer escribió:
On Wed, Feb 15, 2017 at 2:30 PM, Carlos E. R. <> wrote:
The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server.
Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN.
I have had a machine in the DMZ. It provided a few services. This is a tricky machine in that the IT guys have an external company that tries to exploit things that are exposed. They are ruthless. I have been trying to minimize the things this machine does to the bare minimum so that there is less for them to complain about. I don't really want to have it become a mirror.
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine... Just one machine that is allowed to download files without prior scanning virus, but scanning later and using quarantine, not delete. And scanning specifically for Linux viruses. Hopefully running in Linux. When that machine starts syncing, it has to disable http server, till the virus scan is run. Notice that this is safer, from paranoid point of view, than whitelisting an URL...
I had guessed that the mirror redirection was done as you described. Too bad the mirror is not opaque and that the local system still just sees download.opensuse.org.
That's intentional: otherwise it is impossible to find which mirror is misbehaving. Your easier bet is to not use the download at opensuse server, but some of the mirrors directly. A number of them if needed. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikaNEACgkQja8UbcUWM1yfJgD/fbrPkpX1jzEoFpJVrm3nBX3I UcsFYNBiLDDrhLkiR68A/Au6W/fQ8MOC/oZAAtVlYjEQdmm/jINzQ72v/agmeV46 =6j81 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 13:14 -0800, John Andersen escribió:
On 02/15/2017 6:42 AM, Carlos E. R. wrote:
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine...
Isn't that spelled V P N ?
The DMZ? No. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlik0hkACgkQja8UbcUWM1y0LgD/aNVOTlIRuH+fTXbj9APgyUp+ /RZSFSKju0wzHK0oCvsA/jD8xGYFI8WnjX8kpt6W/gytdPBZxQwPYZboM0bbajlQ =3tTQ -----END PGP SIGNATURE-----
On Wed, Feb 15, 2017 at 10:14 PM, John Andersen
On 02/15/2017 6:42 AM, Carlos E. R. wrote:
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine...
DMZ. De-Militarized Zone. Outside the firewall, but not really on the outside. One of our machines. It can provide services that are only on that machine. In our case, my DMZ machine is given very limited access to specific internal machines. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-16 a las 07:39 +0100, Roger Oberholtzer escribió:
On Wed, Feb 15, 2017 at 10:14 PM, John Andersen <> wrote:
On 02/15/2017 6:42 AM, Carlos E. R. wrote:
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine...
DMZ. De-Militarized Zone. Outside the firewall, but not really on the outside. One of our machines. It can provide services that are only on that machine. In our case, my DMZ machine is given very limited access to specific internal machines.
Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAliliCIACgkQja8UbcUWM1wHiQD+NZMlKaxkhQegDLdclasynnFp NM248GYHnBOai+2yGnMA/124J3lUZZImfPA83T50gx7CfOu9Q2kfLk2F0BNZhpWi =3MnX -----END PGP SIGNATURE-----
On Thu, Feb 16, 2017 at 12:08 PM, Carlos E. R.
Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community.
If I am not in the DMZ then all I get goes through the scanner. I do not know what it does not check. Security through obscurity. Is it possible to download a file from OBS via something like ssh? I could then get the few failing files this way and keep them in a local repo. The local repo like this works fine - once I have the file in my paws. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
On Thu, Feb 16, 2017 at 12:08 PM, Carlos E. R. <> wrote:
Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community.
If I am not in the DMZ then all I get goes through the scanner. I do not know what it does not check. Security through obscurity.
Ah, I see.
Is it possible to download a file from OBS via something like ssh? I could then get the few failing files this way and keep them in a local repo. The local repo like this works fine - once I have the file in my paws.
Yes, via https from some repos, I think. There was one suggestion on
another post via rsync from... You didn't notice this post:
On Thu, Feb 16, 2017 at 9:22 AM, Rüdiger Meier
As a work around you could use rsync to mirror repos from ftp.gwdg.de/pub/opensuse which is encrypted ssh traffic and they would not be able to scan any files. But I'm almost sure that IT guys who are installing useless virus scanners would also block outgoing ports (ssh).
- -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlil3sIACgkQja8UbcUWM1w5ugEAi8xerVwfuF2SnoAg2b4Nigx7 a3Z+mtUtOxYr52pkGlUA/A+A9ef2l/PD6Ys47WER9xBV0FE+aWrTcXRpiXbvYt1+ =sbGu -----END PGP SIGNATURE-----
On Thu, Feb 16, 2017 at 6:17 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID:
El 2017-02-16 a las 15:58 +0100, Roger Oberholtzer escribió:
On Thu, Feb 16, 2017 at 12:08 PM, Carlos E. R. <> wrote:
Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community.
If I am not in the DMZ then all I get goes through the scanner. I do not know what it does not check. Security through obscurity.
Ah, I see.
Is it possible to download a file from OBS via something like ssh? I could then get the few failing files this way and keep them in a local repo. The local repo like this works fine - once I have the file in my paws.
Yes, via https from some repos, I think. There was one suggestion on another post via rsync from... You didn't notice this post:
Yes I did. So I am thinking I may try to use the usual http for most all things. Then, for the occasional problem packages, rsync that file to a local repo. Then the update can proceed. This could maybe obviate the need for a white list. Unless the scanner recognizes the rsync content as well. I will have to try. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 2:30 PM, Carlos E. R.
wrote: The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server.
Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN.
I have had a machine in the DMZ. It provided a few services. This is a tricky machine in that the IT guys have an external company that tries to exploit things that are exposed. They are ruthless. I have been trying to minimize the things this machine does to the bare minimum so that there is less for them to complain about. I don't really want to have it become a mirror. I guess that would also mean that folks in the area would perhaps be sent here for their files.
Only if you sign up as an official mirror. If such a machine on the DMZ does not have files scanned, a local mirror sounds like a pretty good idea. -- Per Jessen, Zürich (10.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
Background:
I have a couple of Tumbleweed (intel and ARM) machines at work. These are behind the corporate firewall. This firewall scans every file download for viri and the like. If a file is suspect, you don't get it. I have encountered a problem where a couple of openSUSE RPMS look suspicious to this check, and are blocked from download. At least this is what the IT guys feel is happening.
The specific files change. But if a file fails, it will always fail. So it is consistent. For example, at the time of this message, this file is not allowed:
http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...
Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
The IT guys have offered to white list a site where the files will be passed through. So I thought I would suggest download.opensuse.org. The problem is that zypper uses mirrors. So the downloads may not actually come from there. I thought I would just specify a local mirror in the URL.
Unfortunately, mirrors seem not to mirror everything on download.opensuse.org.
Correct, the mirror operators decide what they want to mirror. Couldn't you just pick a single mirror that provides tumbleweed/ ? for instance: http://mirrors.se.eu.kernel.org/opensuse/tumbleweed
Is it possible (even though I understand that it is perhaps bad netiquette) to tell zypper to not use a mirror?
Not to my knowledge. mirrorbrain dishes them out, I think it's just an http 302 redirect. -- Per Jessen, Zürich (10.3°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 16:34 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...
Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
Can't be, because on retries the chunks would be different, no? And still it trigers the malware block. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikdzIACgkQja8UbcUWM1yDxQD5AakyROHfmC1BlruZT55BhOp8 BFwSBlx1/bZM7buk3wkA/0wFLJsfogqwMfOSZ1ZP6KRPsKTYbpjKK126WsqSTW+R =UYeE -----END PGP SIGNATURE-----
Le 15/02/2017 à 16:43, Carlos E. R. a écrit :
Can't be, because on retries the chunks would be different, no? And still it trigers the malware block.
but it's not a malware, but simply a block that trigger with a matching signature :-( jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 16:54 +0100, jdd escribió:
Le 15/02/2017 à 16:43, Carlos E. R. a écrit :
Can't be, because on retries the chunks would be different, no? And still it trigers the malware block.
but it's not a malware, but simply a block that trigger with a matching signature :-(
Of course. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikfIsACgkQja8UbcUWM1wUGAEAnmdcYKJeUewMUfXSiK3Y/VCL 8WtRp+/LgqKo0Lgb1OsA/0AqfmR2gl/MUJITp/G5KEqIzrrkIOk6TzRNCZL1MTy4 =vF+D -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2017-02-15 a las 16:34 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...
Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible. -- Per Jessen, Zürich (9.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 17:03 +0100, Per Jessen escribió:
Carlos E. R. wrote:
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
Ah, I see. You mean the chunks would be the same each time. Are you sure the checker can't reconstruct the file? Some places the download occurs at an internal server, and the user machine sees nothing till after the end, when that machine does a virus check. Other times the download stalls at 99% and never ends. The name Ironclad comes to my mind. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikfT0ACgkQja8UbcUWM1yWggEAhMSL9CkYK9N/T+bvL/wJl0AI 7vRR64eWi8BhnAmfqEcA/iR5hn3IhHgMTeKVuW70v9qHfIomAwwe55OfKy0lHbNM =/U17 -----END PGP SIGNATURE-----
On Wed, Feb 15, 2017 at 5:09 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2017-02-15 a las 17:03 +0100, Per Jessen escribió:
Carlos E. R. wrote:
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
Ah, I see. You mean the chunks would be the same each time.
Are you sure the checker can't reconstruct the file? Some places the download occurs at an internal server, and the user machine sees nothing till after the end, when that machine does a virus check. Other times the download stalls at 99% and never ends. The name Ironclad comes to my mind.
IronPort. This download and check by the scanner is what I have been told is done here. The client does not see this. And the files do seems always to stop at >90%. Which I have always thought odd. But when it is checking the files this way, maybe that is what happens. Maybe the check is happy if it just keeps the download from completing. That may be enough to stop most downloads. No idea. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/16/2017 07:35 AM, Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 5:09 PM, Carlos E. R.
wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2017-02-15 a las 17:03 +0100, Per Jessen escribió:
Carlos E. R. wrote:
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
Ah, I see. You mean the chunks would be the same each time.
Are you sure the checker can't reconstruct the file? Some places the download occurs at an internal server, and the user machine sees nothing till after the end, when that machine does a virus check. Other times the download stalls at 99% and never ends. The name Ironclad comes to my mind.
IronPort. This download and check by the scanner is what I have been told is done here. The client does not see this.
And the files do seems always to stop at >90%. Which I have always thought odd. But when it is checking the files this way, maybe that is what happens. Maybe the check is happy if it just keeps the download from completing. That may be enough to stop most downloads. No idea.
To be honest. Your IT guys should just fix, disable or replace their scanner. They are professionals and shouldn't have installed such broken scanner in the first place. As a work around you could use rsync to mirror repos from ftp.gwdg.de/pub/opensuse which is encrypted ssh traffic and they would not be able to scan any files. But I'm almost sure that IT guys who are installing useless virus scanners would also block outgoing ports (ssh). cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
As a work around you could use rsync to mirror repos from ftp.gwdg.de/pub/opensuse which is encrypted ssh traffic and they would not be able to scan any files. But I'm almost sure that IT guys who are installing useless virus scanners would also block outgoing ports (ssh).
A very good idea, IMO, worth trying. But telling the IT guys to allow all downloads from that server to his machine to be cleared achieves the same end. It means not using the opensuse dowload link, but a fixed mirror. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAliliwoACgkQja8UbcUWM1ybgwD/Rcx6kO6Q8oH6CKS8LELusKqI F8EexJ6nQqPaUA7A6XwBAJUQj23YQ5/yWMOBlh9wJ6BUlxr9f9Hrs3HNu5jqJarv =Exye -----END PGP SIGNATURE-----
On 02/16/2017 12:20 PM, Carlos E. R. wrote:
But telling the IT guys to allow all downloads from that server to his machine to be cleared achieves the same end. It means not using the opensuse dowload link, but a fixed mirror.
Yes but their scanner would probably still block many other harmless files. Just annoying for users. BTW if IT security policy does not allow files with "certain" content then they should be straight. If they would whitelist http://ftp.gwdg.de/pub/ they they explicitly allow downloading "viruses". Any person on earth is somehow able to upload everything to that ftp mirror. So if the scanner is to restrictive then they have to fix it rather than whitelisting any server. Actually it could be that some companies have the policy to not allow _any_ 3rd party executables neither via download, nor email nor USB-Sticks. If they want to whitelist something then they should better whitelist per user, trust "roger" or "root"(zypper). cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Feb 16, 2017 at 9:22 AM, Rüdiger Meier
As a work around you could use rsync to mirror repos from ftp.gwdg.de/pub/opensuse which is encrypted ssh traffic and they would not be able to scan any files. But I'm almost sure that IT guys who are installing useless virus scanners would also block outgoing ports (ssh).
My Tumbleweed install added (which is not shown in mirrors): http://download.opensuse.org/update/tumbleweed/ This seems to really be (which is shown in mirrors): http://download.opensuse.org/repositories/openSUSE:/Factory:/Update/standard... Why is this added? The files there seem not to be installed. If I point at a mirror, I will not see update/tumbleweed/. I am guessing that mirrorbrain points to the actual location on the mirror, not a shortcut as is found on download.opensuse.org. So I would need to change http://download.opensuse.org/update/tumbleweed/ to http://download.mirror.zzz/repositories/openSUSE:/Factory:/Update/standard/ Or not? -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
On Thu, Feb 16, 2017 at 9:22 AM, Rüdiger Meier
wrote: As a work around you could use rsync to mirror repos from ftp.gwdg.de/pub/opensuse which is encrypted ssh traffic and they would not be able to scan any files. But I'm almost sure that IT guys who are installing useless virus scanners would also block outgoing ports (ssh).
My Tumbleweed install added (which is not shown in mirrors):
http://download.opensuse.org/update/tumbleweed/
This seems to really be (which is shown in mirrors):
http://download.opensuse.org/repositories/openSUSE:/Factory:/Update/standard...
Yes, the former just redirects to the latter.
Why is this added? The files there seem not to be installed. If I point at a mirror, I will not see update/tumbleweed/. I am guessing that mirrorbrain points to the actual location on the mirror, not a shortcut as is found on download.opensuse.org. So I would need to change http://download.opensuse.org/update/tumbleweed/ to http://download.mirror.zzz/repositories/openSUSE:/Factory:/Update/standard/
Yup. (are there actually updates published for TW?) -- Per Jessen, Zürich (11.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-16 a las 17:00 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
On Thu, Feb 16, 2017 at 9:22 AM, Rüdiger Meier
wrote:
Why is this added? The files there seem not to be installed. If I point at a mirror, I will not see update/tumbleweed/. I am guessing that mirrorbrain points to the actual location on the mirror, not a shortcut as is found on download.opensuse.org. So I would need to change http://download.opensuse.org/update/tumbleweed/ to http://download.mirror.zzz/repositories/openSUSE:/Factory:/Update/standard/
Yup. (are there actually updates published for TW?)
Yes. Rarely, but yes. Sometimes they pass a bad package the normal way, the problem is critical, and they do a patch on the update repo. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlil3agACgkQja8UbcUWM1x69QD/Su65P4eG/oSYMkEMHq3AvM7x 09ZPMW5OFRiV63DBK18A/25HG14n+jIwupQMYE/jEniQRpfRMdglKgPNZF6vNHkd =NWtU -----END PGP SIGNATURE-----
In data giovedì 16 febbraio 2017 18:13:02, Carlos E. R. ha scritto:
El 2017-02-16 a las 17:00 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
On Thu, Feb 16, 2017 at 9:22 AM, Rüdiger Meier
wrote: Why is this added? The files there seem not to be installed. If I point at a mirror, I will not see update/tumbleweed/. I am guessing that mirrorbrain points to the actual location on the mirror, not a shortcut as is found on download.opensuse.org. So I would need to change http://download.opensuse.org/update/tumbleweed/ to http://download.mirror.zzz/repositories/openSUSE:/Factory:/Update/standar d/
Yup. (are there actually updates published for TW?)
Yes. Rarely, but yes.
Sometimes they pass a bad package the normal way, the problem is critical, and they do a patch on the update repo.
-- Cheers Carlos E. R.
(from 42.2 x86_64 "Malachite" (Minas Tirith)) In fact, I found out today that this is the only repo for tumbelweed where https has not been activated.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2017-02-15 a las 17:03 +0100, Per Jessen escribió:
Carlos E. R. wrote:
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
Ah, I see. You mean the chunks would be the same each time.
Are you sure the checker can't reconstruct the file?
well, 99% certain. The checker only sees a URL and a range-spec (segment begin+length). There is no way for the checker to known that 2 segments from 2 different URLs belong to the same file. Imagine: http://mirror1.hs-esslingen.de/pub/Mirrors/ftp.opensuse.org/../kernel-pae-4.... (begin+length) http://mirror.karneval.cz/pub/linux/opensuse/.../kernel-pae-4.9.9-1.1.i686.r... (begin+length) Matching on {filename,client-ip} is not sufficient.
Some places the download occurs at an internal server, and the user machine sees nothing till after the end, when that machine does a virus check. Other times the download stalls at 99% and never ends. The name Ironclad comes to my mind.
I think Roger said they have Ironport. It isn't about "downloads", it's simply about accessing files, could be streaming, for browsing, anything. youtube uses chunking too, for instance. The chunks can still be cached, btw. -- Per Jessen, Zürich (3.2°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Content-ID:
Carlos E. R. wrote:
Ah, I see. You mean the chunks would be the same each time.
Are you sure the checker can't reconstruct the file?
well, 99% certain. The checker only sees a URL and a range-spec (segment begin+length). There is no way for the checker to known that 2 segments from 2 different URLs belong to the same file.
It could decide to download the entire file for each partial request... that would be a heavy load, though.
Some places the download occurs at an internal server, and the user machine sees nothing till after the end, when that machine does a virus check. Other times the download stalls at 99% and never ends. The name Ironclad comes to my mind.
I think Roger said they have Ironport. It isn't about "downloads", it's simply about accessing files, could be streaming, for browsing, anything. youtube uses chunking too, for instance. The chunks can still be cached, btw.
- -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAliliRMACgkQja8UbcUWM1yitgD/cvCR/pUTmRC/7QxmSkSkM7hk bbqwBjHaCov9al91obkBAI8BdkseK1pbbsOiwjLvCzN/qv+BKeuxSd5t1DgEhYqU =mqDY -----END PGP SIGNATURE-----
On Wed, Feb 15, 2017 at 5:03 PM, Per Jessen
Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
http://doc.opensuse.org/projects/libzypp/13.1/zypp-envars.html I currently use ZYPP_MULTICURL or most all fails. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 5:03 PM, Per Jessen
wrote: Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
http://doc.opensuse.org/projects/libzypp/13.1/zypp-envars.html
I currently use ZYPP_MULTICURL or most all fails.
If you use ZYPP_MULTICURL=0, most downloads fail? Even just from a browser, for instance? -- Per Jessen, Zürich (3.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-16 a las 09:03 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 5:03 PM, Per Jessen
wrote: Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
http://doc.opensuse.org/projects/libzypp/13.1/zypp-envars.html
I currently use ZYPP_MULTICURL or most all fails.
If you use ZYPP_MULTICURL=0, most downloads fail? Even just from a browser, for instance?
I understand that if he does not use ZYPP_MULTICURL=0, zypper/yast fails. ie, he disables chunking. Could be that ironport tries to download the entire file for each chunk request in order to examine it. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlilii4ACgkQja8UbcUWM1wJeAD+LhofndfWzvkV71oPC6YscyJ9 o83te/8Xk6cY8Gqh2qoA/jXycNSlP4fXRYXTkib+6GFuumSM3k/lAUFKi/DS717B =PTZ8 -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2017-02-16 a las 09:03 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 5:03 PM, Per Jessen
wrote: Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
http://doc.opensuse.org/projects/libzypp/13.1/zypp-envars.html
I currently use ZYPP_MULTICURL or most all fails.
If you use ZYPP_MULTICURL=0, most downloads fail? Even just from a browser, for instance?
I understand that if he does not use ZYPP_MULTICURL=0, zypper/yast fails. ie, he disables chunking.
Could be that ironport tries to download the entire file for each chunk request in order to examine it.
That would certainly slow down things :-) I doubt it, but I agree, it's possible. -- Per Jessen, Zürich (7.5°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-16 a las 12:27 +0100, Per Jessen escribió:
Carlos E. R. wrote:
http://doc.opensuse.org/projects/libzypp/13.1/zypp-envars.html
I currently use ZYPP_MULTICURL or most all fails.
ZYPP_MULTICURL=0 Turn off multicurl (metalink and zsync) and fall back to plain libcurl.
If you use ZYPP_MULTICURL=0, most downloads fail? Even just from a browser, for instance?
I understand that if he does not use ZYPP_MULTICURL=0, zypper/yast fails. ie, he disables chunking.
Could be that ironport tries to download the entire file for each chunk request in order to examine it.
That would certainly slow down things :-) I doubt it, but I agree, it's possible.
I seem to recall that he said that previously downloads would stall. If that's true, it matches. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlilkwMACgkQja8UbcUWM1zjKAD/bQe5CRExDWe6GKSGpkP++MKg l9Lh75lAh8EeXn8sricA/3s3qR68VYox+klxiQb/Zn8Iu1XAoFjUOG/BAwdKgCmK =bcCj -----END PGP SIGNATURE-----
On Thu, Feb 16, 2017 at 9:03 AM, Per Jessen
Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 5:03 PM, Per Jessen
wrote: Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
http://doc.opensuse.org/projects/libzypp/13.1/zypp-envars.html
I currently use ZYPP_MULTICURL or most all fails.
If you use ZYPP_MULTICURL=0, most downloads fail? Even just from a browser, for instance?
It I do not use it most downloads fail. I have to have it here at work for most all downloads (except the few that caused this post). This results in the download of a specific file always coming from the same server. IIRC the problem is that the IronPort does not honor a http option when downloading from multiple sources, and so it fails. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
On Thu, Feb 16, 2017 at 9:03 AM, Per Jessen
wrote: Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 5:03 PM, Per Jessen
wrote: Can't be, because on retries the chunks would be different, no?
No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.
http://doc.opensuse.org/projects/libzypp/13.1/zypp-envars.html
I currently use ZYPP_MULTICURL or most all fails.
If you use ZYPP_MULTICURL=0, most downloads fail? Even just from a browser, for instance?
It I do not use it most downloads fail. I have to have it here at work for most all downloads (except the few that caused this post). This results in the download of a specific file always coming from the same server. IIRC the problem is that the IronPort does not honor a http option when downloading from multiple sources, and so it fails.
Ah okay, I get it. It is odd that some files are being wrongly identified as "unwanted", you have to wonder what sort of criteria or signatures the Ironport uses. Still, the offer of whitelisting a particular mirror seems good, doesn't that solve the problem for you? -- Per Jessen, Zürich (11.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 16/02/2017 à 16:22, Per Jessen a écrit :
Still, the offer of whitelisting a particular mirror seems good, doesn't that solve the problem for you?
not all files come from the same server jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 16/02/2017 à 16:22, Per Jessen a écrit :
Still, the offer of whitelisting a particular mirror seems good, doesn't that solve the problem for you?
not all files come from the same server
If Roger only lists a single server as a source, surely all files will come from that server. I thought Roger needed Tumbleweed, I'm sure there is a single mirror out there that can provide that. Unless I misunderstood something. Is this not a complete TW mirror for instance? http://mirrors.se.eu.kernel.org/opensuse/tumbleweed/repo/oss -- Per Jessen, Zürich (11.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 16/02/2017 à 16:56, Per Jessen a écrit :
jdd wrote:
Le 16/02/2017 à 16:22, Per Jessen a écrit :
Still, the offer of whitelisting a particular mirror seems good, doesn't that solve the problem for you?
not all files come from the same server
If Roger only lists a single server as a source, surely all files will come from that server. I thought Roger needed Tumbleweed, I'm sure there is a single mirror out there that can provide that. Unless I misunderstood something.
Is this not a complete TW mirror for instance?
http://mirrors.se.eu.kernel.org/opensuse/tumbleweed/repo/oss
don't know the initial message https://lists.opensuse.org/opensuse/2017-02/msg00398.html jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Feb 16, 2017 at 4:56 PM, Per Jessen
http://mirrors.se.eu.kernel.org/opensuse/tumbleweed/repo/oss
That is the place I am thinking of using. What will remain are things in my own OBS account that are not mirrored. The only mirror I see for those are http://ftp.gwdg.de/pub/opensuse/repositories/home: So I can either add that, or download.opensuse.org and mirror my own stuff on OBS locally. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
On Thu, Feb 16, 2017 at 4:56 PM, Per Jessen
wrote: http://mirrors.se.eu.kernel.org/opensuse/tumbleweed/repo/oss
That is the place I am thinking of using.
What will remain are things in my own OBS account that are not mirrored. The only mirror I see for those are http://ftp.gwdg.de/pub/opensuse/repositories/home:
You can rsync all of home: (or just your own) from rsync.opensuse.org::buildservice-repos - I don't know if rsync is available to you? (firewall-wise). -- Per Jessen, Zürich (10.3°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 15, 2017 at 4:43 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2017-02-15 a las 16:34 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...
Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
my command is always: ZYPP_MULTICURL=0 zypper dup --no-allow-vendor-change Without ZYPP_MULTICURL most downloads fail. Also, the scan seems to act on chunks of files. After it has parts of the files, it does the scan, and then returns the 'safe' bits. It is a Cisco IronPort. Or, at least I know we have an IronPort for many checks. I am not positive that it is used in this case. The IT guys are sometimes rather secretive. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
On Wed, Feb 15, 2017 at 4:43 PM, Carlos E. R.
wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2017-02-15 a las 16:34 +0100, Per Jessen escribió:
Roger Oberholtzer wrote:
http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...
Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.
my command is always:
ZYPP_MULTICURL=0 zypper dup --no-allow-vendor-change
Without ZYPP_MULTICURL most downloads fail.
Aha. So no chunked downloading. I guess on your end, you just see the failures, but no indicators as to why? Seems like you ought to be able to open a trouble ticket "this url fails to downoad". -- Per Jessen, Zürich (3.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file
There is obviously some threshold size that determines whether it is chunked or not. Dunno what it is. -- Per Jessen, Zürich (10.5°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I'm surprised to see that tumbleweed is not completely mirrored in any mirror... As you seems to work for a big business, may be you could pick the nearest mirror (network related), verify the content and eventually ask the mirror admin what happens, with some chance of being heard may be it's only an update delay that makes some mirrors be a bit late in sync may be you could obtain from your admins to become a true openSUSE mirror :-) good luck jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (9)
-
Andreas Mahel
-
Carlos E. R.
-
jdd
-
John Andersen
-
mh@mike.franken.de
-
Per Jessen
-
Roger Oberholtzer
-
Rüdiger Meier
-
stakanov