1 |
On Friday 12 November 2004 16:54, Brian G. Peterson wrote: |
2 |
> On Friday 12 November 2004 09:02 am, Dan Margolis wrote: |
3 |
> > Klaus Wagner wrote: |
4 |
> > > I think if the rsync mirrors are too stressed for signation, they would |
5 |
> > > be too stressed for rsync too, allthough rsync could be tunneled too. |
6 |
> > |
7 |
> > One of the suggestions we were kicking around was to use Stunnel to |
8 |
> > encrypt rsync over SSL. This, of course, fails to be as encompassing as |
9 |
> > the Final Solution involving GPG, but is suitable as a stopgap. We |
10 |
> > rejected it because of concern about server load on the mirrors, |
11 |
> > actually, since SSL does introduce some significant CPU overhead. |
12 |
> |
13 |
> wouldn't public-key rsync over ssh be a lower CPU load option than rsync |
14 |
> over SSL? This option would also be suitable as a 'secure rsync' method |
15 |
> for remote users, if you wanted to push it out that far. I can see how CPU |
16 |
> load for remote users to tunnel rsync over SSL or ssh, but the connection |
17 |
> between the Gentoo rsync master and the mirrors could be secured this way. |
18 |
|
19 |
The difference between ssh and ssl is very minimal in terms of performance, |
20 |
however ssl focusses on public services with public certificates, while ssh |
21 |
focusses on authenticated shell access to known users. The load difference |
22 |
should be minimal anyway, but ssh is not suitable for the public rsync |
23 |
service, for inter-mirror rsync it would be acceptable. |
24 |
|
25 |
Paul |
26 |
|
27 |
-- |
28 |
Paul de Vrieze |
29 |
Gentoo Developer |
30 |
Mail: pauldv@g.o |
31 |
Homepage: http://www.devrieze.net |