Rich Freeman via plug on 20 Sep 2019 12:28:12 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The lock down?! Uhh.. why?

On Fri, Sep 20, 2019 at 3:21 PM prushik--- via plug
<> wrote:
> >On Fri Sep 20, 2019 at 2:43 PM Rich Freeman via plug wrote:
> >> Seems like a best practice all around.  Here is my thinking:
> >>
> >> The only cost is a bit of CPU - not a big deal.
> Could be a big deal. A lot more computers and servers are cpu-bound than you might expect, and TLS is likely heavier than you expect.

So, on the repo server side I could see a big penalty, but the people
controlling those servers are the same people pushing the SSL switch,
so presumably they're not worried.

On the client side I suspect the cost isn't THAT high.  How often are
you syncing the repo anyway (for the parts that are moving to SSL)?

I suspect in a high-capacity production environment the model is going
to be to build docker/VM/whatever images from a non-production host,
and that is where all your syncing will be happening.  Then those
images are what actually get swapped out with your running instances.
The servers handling all the transactions aren't the ones running SSL,
except to the degree that they're probably doing all their disk IO
over SSL anyway to whatever your storage backend is.  I doubt most
high-scale setups are running curated individual hosts on bare metal
with rpm or whatever running from a cron job...

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --