[opensuse] mirrors

Roger Oberholtzer

15 Feb 2017 15 Feb '17

08:05

Background: I have a couple of Tumbleweed (intel and ARM) machines at work. These are behind the corporate firewall. This firewall scans every file download for viri and the like. If a file is suspect, you don't get it. I have encountered a problem where a couple of openSUSE RPMS look suspicious to this check, and are blocked from download. At least this is what the IT guys feel is happening. The specific files change. But if a file fails, it will always fail. So it is consistent. For example, at the time of this message, this file is not allowed: http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-... Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally. I had thought that I would just grab the files from home, put them on my machine, and all will be fine. The problem is that Tumbleweed is quite active. The files change over the day. So getting the ones that cause the complaint is difficult. When I get back to work, new files may complain. Question: The IT guys have offered to white list a site where the files will be passed through. So I thought I would suggest download.opensuse.org. The problem is that zypper uses mirrors. So the downloads may not actually come from there. I thought I would just specify a local mirror in the URL. Unfortunately, mirrors seem not to mirror everything on download.opensuse.org. So, I thought I might use the mirror URL for the repos that the mirror has. But that leaves the other repos. Like http://download.opensuse.org/update/tumbleweed/, which I do not see on the mirrors I have checked. Is it possible (even though I understand that it is perhaps bad netiquette) to tell zypper to not use a mirror? At least this may allow me to verify that, when white listed, the files from a repo can be obtained. A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Show replies by date

mh＠mike.franken.de

15 Feb 15 Feb

10:57

Hi Roger, [...]

...

A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.

wouldn't it be an option for you to create your own internal mirror? Then you could point all your internal SuSE machines to that mirror. Depending on the number of machines this could reduce traffic and - regarding your actual problem - you could mirror from a machine of your choice, which in turn could be whitelisted in the firewall.

...

-- Roger Oberholtzer

Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Roger Oberholtzer

11:58

On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke wrote:

...

Hi Roger,

[...]

...
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.

I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Andreas Mahel

13:14

On 15.02.2017 12:58, Roger Oberholtzer wrote:

...

On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke wrote:

...
...
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.

I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.

If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository 2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server. -- Cahn's Axiom: When all else fails, read the instructions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Roger Oberholtzer

13:25

On Wed, Feb 15, 2017 at 2:14 PM, Andreas Mahel wrote:

...

On 15.02.2017 12:58, Roger Oberholtzer wrote:

...
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke wrote:

...
...
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.

I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.

If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository

No problem with that.

...

2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.

That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list. I can't help but think that the mirror activity may be more work against download.opensuse.org than my occasional updates... -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

13:33

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 14:25 +0100, Roger Oberholtzer escribió:

...

That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list.

No, I think the new files are "pushed" to the mirrors. It would be very bad form to pull from the internal opensuse server. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikWJcACgkQja8UbcUWM1wsHgD9GNTVhfstegQaUluVmeoe0puw rVgfK8e6/cVhuBY5ZAwA/jgBzc9uEwUC42fIXwr2c/sTdk19gUUNcI4i67G9yhM9 =VCVA -----END PGP SIGNATURE-----

mh＠mike.franken.de

14:01

Hi Roger, [...]

...

...
2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.

...

That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list.

...

I can't help but think that the mirror activity may be more work against download.opensuse.org than my occasional updates...

this might be, but you can definitely avoid your problem with the firewall scanner by using exactly one external server - or maybe two, if you need packages from more than one server.

...

-- Roger Oberholtzer

Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Per Jessen

16 Feb 16 Feb

08:07

Roger Oberholtzer wrote:

...

On Wed, Feb 15, 2017 at 2:14 PM, Andreas Mahel wrote:

...
On 15.02.2017 12:58, Roger Oberholtzer wrote:

...
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke wrote:

...
...
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.

I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.

If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository

No problem with that.

...
2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.

That is still the question: since all repos are not on all mirrors (like the one I mentioned - but there are many more), I would still need to get the mirror software to talk to an external server. I guess the idea is that mirrors always get data from download.opensuse.org and never from a mirror. SO I only need that in the white list.

I can't help but think that the mirror activity may be more work against download.opensuse.org than my occasional updates...

Private and public mirrors are run from different servers, not from download.opensuse.org. -- Per Jessen, Zürich (3.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

mh＠mike.franken.de

15 Feb 15 Feb

14:00

Hi,

...

On 15.02.2017 12:58, Roger Oberholtzer wrote:

...
On Wed, Feb 15, 2017 at 11:57 AM, Michael Hirmke wrote:

...
...
A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.

I cannot populate my mirror because I would have to load the files via the same file checker. Every file is checked. My mirror would not contain the suspect files. They are simply not let pass. Unless the external source is on the white list.

...

If I read Michael's mail correctly, the intention was to split the issue in two aspects. 1. Avoid zypper using random mirrors by pointing it to the one and only internal mirror repository 2. Limit the firewall exception to exactly one external repo server from which you then mirror the data to your local server.

this was exactly my intention. And this is, what I'm doing here. Bye. Michael. -- Michael Hirmke -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

13:30

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 09:05 +0100, Roger Oberholtzer escribió: ...

...

I had thought that I would just grab the files from home, put them on my machine, and all will be fine. The problem is that Tumbleweed is quite active. The files change over the day. So getting the ones that cause the complaint is difficult. When I get back to work, new files may complain.

Don't use tumbleweed... :-P

...

Question:

The IT guys have offered to white list a site where the files will be passed through. So I thought I would suggest download.opensuse.org. The problem is that zypper uses mirrors. So the downloads may not actually come from there. I thought I would just specify a local mirror in the URL.

Unfortunately, mirrors seem not to mirror everything on download.opensuse.org. So, I thought I might use the mirror URL for the repos that the mirror has. But that leaves the other repos. Like http://download.opensuse.org/update/tumbleweed/, which I do not see on the mirrors I have checked.

It would be a question of locating a mirror that contains all you need, or some mirrors.

...

Is it possible (even though I understand that it is perhaps bad netiquette) to tell zypper to not use a mirror? At least this may allow me to verify that, when white listed, the files from a repo can be obtained.

A nice feature for zypper could be that it tries a mirror, and after a couple failures, it tries the specified repo before failing.

The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server. Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikV/sACgkQja8UbcUWM1wAZwEAiViOZjWK0pD1sRwlr9VpD8/g /lt8HfxjFzV0TyVw8REA+gPyB+Ut7gdBWbnHRokIZcx+zaF9W5p9X7UmHk6gKicc =lEP5 -----END PGP SIGNATURE-----

Roger Oberholtzer

13:56

On Wed, Feb 15, 2017 at 2:30 PM, Carlos E. R. wrote:

...

The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server.

Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN.

I have had a machine in the DMZ. It provided a few services. This is a tricky machine in that the IT guys have an external company that tries to exploit things that are exposed. They are ruthless. I have been trying to minimize the things this machine does to the bare minimum so that there is less for them to complain about. I don't really want to have it become a mirror. I guess that would also mean that folks in the area would perhaps be sent here for their files. I'm not sure if that would be popular. Our IT guys are a paranoid lot. Of course, they have chosen Windows as the infrastructure... I had guessed that the mirror redirection was done as you described. Too bad the mirror is not opaque and that the local system still just sees download.opensuse.org. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

14:42

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 14:56 +0100, Roger Oberholtzer escribió:

...

On Wed, Feb 15, 2017 at 2:30 PM, Carlos E. R. <> wrote:

...
The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server.

Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN.

I have had a machine in the DMZ. It provided a few services. This is a tricky machine in that the IT guys have an external company that tries to exploit things that are exposed. They are ruthless. I have been trying to minimize the things this machine does to the bare minimum so that there is less for them to complain about. I don't really want to have it become a mirror.

I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine... Just one machine that is allowed to download files without prior scanning virus, but scanning later and using quarantine, not delete. And scanning specifically for Linux viruses. Hopefully running in Linux. When that machine starts syncing, it has to disable http server, till the virus scan is run. Notice that this is safer, from paranoid point of view, than whitelisting an URL...

...

I had guessed that the mirror redirection was done as you described. Too bad the mirror is not opaque and that the local system still just sees download.opensuse.org.

That's intentional: otherwise it is impossible to find which mirror is misbehaving. Your easier bet is to not use the download at opensuse server, but some of the mirrors directly. A number of them if needed. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikaNEACgkQja8UbcUWM1yfJgD/fbrPkpX1jzEoFpJVrm3nBX3I UcsFYNBiLDDrhLkiR68A/Au6W/fQ8MOC/oZAAtVlYjEQdmm/jINzQ72v/agmeV46 =6j81 -----END PGP SIGNATURE-----

John Andersen

21:14

On 02/15/2017 6:42 AM, Carlos E. R. wrote:

...

I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine...

Isn't that spelled V P N ? -- _____________________________________ ---This space for rent---

Carlos E. R.

22:11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 13:14 -0800, John Andersen escribió:

...

On 02/15/2017 6:42 AM, Carlos E. R. wrote:

...
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine...

Isn't that spelled V P N ?

The DMZ? No. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlik0hkACgkQja8UbcUWM1y0LgD/aNVOTlIRuH+fTXbj9APgyUp+ /RZSFSKju0wzHK0oCvsA/jD8xGYFI8WnjX8kpt6W/gytdPBZxQwPYZboM0bbajlQ =3tTQ -----END PGP SIGNATURE-----

Roger Oberholtzer

16 Feb 16 Feb

06:39

On Wed, Feb 15, 2017 at 10:14 PM, John Andersen wrote:

...

On 02/15/2017 6:42 AM, Carlos E. R. wrote:

...
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine...

DMZ. De-Militarized Zone. Outside the firewall, but not really on the outside. One of our machines. It can provide services that are only on that machine. In our case, my DMZ machine is given very limited access to specific internal machines. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

11:08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-16 a las 07:39 +0100, Roger Oberholtzer escribió:

...

On Wed, Feb 15, 2017 at 10:14 PM, John Andersen <> wrote:

...
On 02/15/2017 6:42 AM, Carlos E. R. wrote:

...
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine...

DMZ. De-Militarized Zone. Outside the firewall, but not really on the outside. One of our machines. It can provide services that are only on that machine. In our case, my DMZ machine is given very limited access to specific internal machines.

Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAliliCIACgkQja8UbcUWM1wHiQD+NZMlKaxkhQegDLdclasynnFp NM248GYHnBOai+2yGnMA/124J3lUZZImfPA83T50gx7CfOu9Q2kfLk2F0BNZhpWi =3MnX -----END PGP SIGNATURE-----

Roger Oberholtzer

14:58

On Thu, Feb 16, 2017 at 12:08 PM, Carlos E. R. wrote:

...

Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community.

If I am not in the DMZ then all I get goes through the scanner. I do not know what it does not check. Security through obscurity. Is it possible to download a file from OBS via something like ssh? I could then get the few failing files this way and keep them in a local repo. The local repo like this works fine - once I have the file in my paws. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

17:17

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: El 2017-02-16 a las 15:58 +0100, Roger Oberholtzer escribió:

...

On Thu, Feb 16, 2017 at 12:08 PM, Carlos E. R. <> wrote:

...
Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community.

If I am not in the DMZ then all I get goes through the scanner. I do not know what it does not check. Security through obscurity.

Ah, I see.

...

Is it possible to download a file from OBS via something like ssh? I could then get the few failing files this way and keep them in a local repo. The local repo like this works fine - once I have the file in my paws.

Yes, via https from some repos, I think. There was one suggestion on another post via rsync from... You didn't notice this post: On Thu, Feb 16, 2017 at 9:22 AM, Rüdiger Meier wrote:

...

As a work around you could use rsync to mirror repos from ftp.gwdg.de/pub/opensuse which is encrypted ssh traffic and they would not be able to scan any files. But I'm almost sure that IT guys who are installing useless virus scanners would also block outgoing ports (ssh).

- -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlil3sIACgkQja8UbcUWM1w5ugEAi8xerVwfuF2SnoAg2b4Nigx7 a3Z+mtUtOxYr52pkGlUA/A+A9ef2l/PD6Ys47WER9xBV0FE+aWrTcXRpiXbvYt1+ =sbGu -----END PGP SIGNATURE-----

Roger Oberholtzer

17 Feb 17 Feb

07:12

On Thu, Feb 16, 2017 at 6:17 PM, Carlos E. R. wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Content-ID:

El 2017-02-16 a las 15:58 +0100, Roger Oberholtzer escribió:

...
On Thu, Feb 16, 2017 at 12:08 PM, Carlos E. R. <> wrote:

...
Yes, I know what DMZ is :-) You don't need the mirror to be on the DMZ, unless you are thinking of providing a mirror for the community.

If I am not in the DMZ then all I get goes through the scanner. I do not know what it does not check. Security through obscurity.

Ah, I see.

...
Is it possible to download a file from OBS via something like ssh? I could then get the few failing files this way and keep them in a local repo. The local repo like this works fine - once I have the file in my paws.

Yes, via https from some repos, I think. There was one suggestion on another post via rsync from... You didn't notice this post:

Yes I did. So I am thinking I may try to use the usual http for most all things. Then, for the occasional problem packages, rsync that file to a local repo. Then the update can proceed. This could maybe obviate the need for a white list. Unless the scanner recognizes the rsync content as well. I will have to try. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Per Jessen

15 Feb 15 Feb

15:38

Roger Oberholtzer wrote:

...

On Wed, Feb 15, 2017 at 2:30 PM, Carlos E. R. wrote:

...
The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server.

Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN.

I have had a machine in the DMZ. It provided a few services. This is a tricky machine in that the IT guys have an external company that tries to exploit things that are exposed. They are ruthless. I have been trying to minimize the things this machine does to the bare minimum so that there is less for them to complain about. I don't really want to have it become a mirror. I guess that would also mean that folks in the area would perhaps be sent here for their files.

Only if you sign up as an official mirror. If such a machine on the DMZ does not have files scanned, a local mirror sounds like a pretty good idea. -- Per Jessen, Zürich (10.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Per Jessen

15:34

Roger Oberholtzer wrote:

...

Background:

I have a couple of Tumbleweed (intel and ARM) machines at work. These are behind the corporate firewall. This firewall scans every file download for viri and the like. If a file is suspect, you don't get it. I have encountered a problem where a couple of openSUSE RPMS look suspicious to this check, and are blocked from download. At least this is what the IT guys feel is happening.

The specific files change. But if a file fails, it will always fail. So it is consistent. For example, at the time of this message, this file is not allowed:

http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...

Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.

That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.

...

The IT guys have offered to white list a site where the files will be passed through. So I thought I would suggest download.opensuse.org. The problem is that zypper uses mirrors. So the downloads may not actually come from there. I thought I would just specify a local mirror in the URL.

Unfortunately, mirrors seem not to mirror everything on download.opensuse.org.

Correct, the mirror operators decide what they want to mirror. Couldn't you just pick a single mirror that provides tumbleweed/ ? for instance: http://mirrors.se.eu.kernel.org/opensuse/tumbleweed

...

Is it possible (even though I understand that it is perhaps bad netiquette) to tell zypper to not use a mirror?

Not to my knowledge. mirrorbrain dishes them out, I think it's just an http 302 redirect. -- Per Jessen, Zürich (10.3°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

15:43

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 16:34 +0100, Per Jessen escribió:

...

Roger Oberholtzer wrote:

...

...
http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...

Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.

That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.

Can't be, because on retries the chunks would be different, no? And still it trigers the malware block. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikdzIACgkQja8UbcUWM1yDxQD5AakyROHfmC1BlruZT55BhOp8 BFwSBlx1/bZM7buk3wkA/0wFLJsfogqwMfOSZ1ZP6KRPsKTYbpjKK126WsqSTW+R =UYeE -----END PGP SIGNATURE-----

jdd

15:54

Le 15/02/2017 à 16:43, Carlos E. R. a écrit :

...

Can't be, because on retries the chunks would be different, no? And still it trigers the malware block.

but it's not a malware, but simply a block that trigger with a matching signature :-( jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

16:06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 16:54 +0100, jdd escribió:

...

Le 15/02/2017 à 16:43, Carlos E. R. a écrit :

...
Can't be, because on retries the chunks would be different, no? And still it trigers the malware block.

but it's not a malware, but simply a block that trigger with a matching signature :-(

Of course. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikfIsACgkQja8UbcUWM1wUGAEAnmdcYKJeUewMUfXSiK3Y/VCL 8WtRp+/LgqKo0Lgb1OsA/0AqfmR2gl/MUJITp/G5KEqIzrrkIOk6TzRNCZL1MTy4 =vF+D -----END PGP SIGNATURE-----

Per Jessen

16:03

Carlos E. R. wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

El 2017-02-15 a las 16:34 +0100, Per Jessen escribió:

...
Roger Oberholtzer wrote:

...
...
http://download.opensuse.org/tumbleweed/repo/oss/suse/i686/kernel-pae-4.9.9-...

Another unpopular file is kernel-firmware. And, the Windows versions of Tcl and Tk. But others pop up occasionally.

That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.

Can't be, because on retries the chunks would be different, no?

No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible. -- Per Jessen, Zürich (9.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

16:09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 17:03 +0100, Per Jessen escribió:

...

Carlos E. R. wrote:

...

...
...
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.

Can't be, because on retries the chunks would be different, no?

No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.

Ah, I see. You mean the chunks would be the same each time. Are you sure the checker can't reconstruct the file? Some places the download occurs at an internal server, and the user machine sees nothing till after the end, when that machine does a virus check. Other times the download stalls at 99% and never ends. The name Ironclad comes to my mind. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikfT0ACgkQja8UbcUWM1yWggEAhMSL9CkYK9N/T+bvL/wJl0AI 7vRR64eWi8BhnAmfqEcA/iR5hn3IhHgMTeKVuW70v9qHfIomAwwe55OfKy0lHbNM =/U17 -----END PGP SIGNATURE-----

Roger Oberholtzer

16 Feb 16 Feb

06:35

On Wed, Feb 15, 2017 at 5:09 PM, Carlos E. R. wrote:

...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

El 2017-02-15 a las 17:03 +0100, Per Jessen escribió:

...
Carlos E. R. wrote:

...
...
...
That is very odd. By default, zypper will use chunked/segmented downloading spread over multiple mirrors. Your corp firewall will only see individual segments from different servers, never a single complete file - so the failure is happening on bits of the files only. Very odd.

Can't be, because on retries the chunks would be different, no?

No, the chunks remain the same. For example, one 10Mb file split into 40 segments of 256K - 40 individual downloads. If one segment fails, it is retried, that's all. Might be worth disabling the chunking, I don't know if that is possible.

Ah, I see. You mean the chunks would be the same each time.

Are you sure the checker can't reconstruct the file? Some places the download occurs at an internal server, and the user machine sees nothing till after the end, when that machine does a virus check. Other times the download stalls at 99% and never ends. The name Ironclad comes to my mind.

IronPort. This download and check by the scanner is what I have been told is done here. The client does not see this. And the files do seems always to stop at >90%. Which I have always thought odd. But when it is checking the files this way, maybe that is what happens. Maybe the check is happy if it just keeps the download from completing. That may be enough to stop most downloads. No idea. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org