[Secure-testing-team] Bug#781128: security.debian.org: GeoDNS load balancing of Debian Security mirrors + out of date mirrors means you cant patch

[Sam McLeod]

Package: security.debian.org
Severity: grave
Tags: security
Justification: renders package unusable

Dear Maintainer,
*** Please consider answering these questions, where appropriate ***

   * What led up to the situation?

1) Received notification of DSA 3197-2
2) Updated apt across our servers
3) Security patch was unavailable
4) Mirror given by GeoDNS for security.debian.org was:
- nashira.anu.edu.au (Located in Canberra, Australia)
- Out of date and did not contain the patch.
- Was not in the same city (Melbourne), or State (Victoria) as our location.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

- There was no clear way to mark the mirror as out of date or to select another mirror.
- We ended up having to manually edit our servers hosts file to point at another host.

   * What was the outcome of this action?

- We were not able to obtain a security patch when it was released.

   * What outcome did you expect instead?

- GeoDNS for security updates to only point to updated servers
- GeoDNS to provide a mirror near us, rather than on the other side of the country



-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.18.4-ix (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash