On 06/19/2015 11:31 AM, Christian Stump wrote:
>> The mirror list is downloaded from http://www.sagemath.org/mirror_list
>
> Is it true that among the needed resources, only www.sagemath.org is
> or will be any time soon located anywhere where I cannot assume a
> relatively constant IP ?
>
> If the answer is "yes" or "likely yes": are there only few
> dependencies on www.sagemath.org which could be relocated or have
> hardcoded fallbacks ?
>
> If the answer is "no" or "likely no": does that mean that I or anyone
> else cannot compile sage on a machine behind a firewall with such an
> IP whitelist?
>
There probably aren't a lot of people running with that kind of
firewall. It sounds like,
* You want to be protected from outside connections by default; but,
* You have the ability to whitelist anything that you want to
connect to.
That much is common, but there's no need to manually update the
whitelist. When your computer makes a request to e.g.
"git.sagemath.org", why not just add the whitelist entry by default?
After all, you just expressed your intent to connect to it. IPTables has
that feature built-in. Just set your INPUT policy to drop and add the
folowing to the INPUT table.
iptables -A INPUT -p ALL -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
The `pf` program on BSD can do something similar but I'm not any good
with it.
This is probably safer than what you have now, since the whitelist entry
isn't permanent -- it's only for connections you've initiated. With the
permanent whitelist, someone who takes over git.sagemath.org could try
to SSH into your machine while you're asleep.
It's also way way way less annoying for you, unless this whole thing is
some crazy person's attempt to keep you off facebook at work and they
have to approve the whitelist entries.
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.
