GrapheneOSWe currently have 16Gbps total bandwidth for our update servers and that's not nearly enough for major releases anymore. Rather than further scaling up our current 2Gbps unmetered VPS approach, we're currently looking into other options. OVH lacks cost effective 10Gbps servers.
We've made 2 attempts at talking to OVH about offering us something different than their publicly available products which hasn't gone anywhere. We likely need to move this part of our infrastructure to 1 or 2 other providers with unmetered 10Gbps dedicated servers like Tempest.
For an idea of what we're looking for, see the 10Gbps options at https://tempest.net/dedicated-servers with 64GB memory. They're also willing to give us a significant discount, which other major providers haven't offered. Tempest is currently IPv4-only though, which isn't ideal for our usage.
Isarblues
Ben Stewart@GrapheneOS hey @kwf is this something micromirror can help out with? Or am I barking up the wrong tree here?
Kenneth Finnegan@obsidian @GrapheneOS did my reply not make it?
We can be a mirror, but not a primary part of their internal infrastructure. They need to be running a load balancer like mirrorbits for us to shave traffic off their main servers.
If the traffic levels are high enough and they're good about archiving past releases, MicroMirror would also be able to help, but at least mirror.fcix.net would be possible
@obsidian @GrapheneOS to give a sense of scale, we do about 10TB/day on our main mirror and 90TB/day on the MicroMirror constellation. So even if we were talking about 2Gbps constant all day every day, that would easily be in the manageable territory. We have about 300Gbps of transit capacity across the fleet.
Corvus@GrapheneOS @pcdog might have some ideas.
Juustoperse@corvus_ch @GrapheneOS can someone from Graphene team reach out via the contact form on my website Openfactory.net please do I can write back, don't want to publish the email here in case bots scrape it ;)
But I can surely do sth and also reach out for sponsors of bandwidth in the social network. This is doable!
redsakana@GrapheneOS
If the deal is very good it may make sense, but coming from the CDN sector, I'd say that a hosting operation that can't provide v6 _at all_ in 2025 is either suffering from worrying levels of technical debt or other serious organizational issues.
Personally, I would at least avoid committing to anything beyond a monthly contract before evaluating whether they can reliably deliver promised capacity even with legacy IP.
bl4x1@GrapheneOS Maybe a different approach, similar to many popular linux distros, where people can select a local mirror that provides the best performance for them? Have you tried talking to universities or similar institutions if they would be willing to host a mirror?
@bl4x1 Having third party mirrors would negatively impact privacy, security and reliability despite the updates being signed with downgrade protection. We don't want to do that.
@GrapheneOS You could validate the checksum over your own channels (not sure if that's what downgrade protection means) but I can also understand if you don't want to consider this. Eventhough I don't think there is any substantial risk involved with downloading e.g. Linux Mint from a mirror (if you validate the checksum of course, but that's something which should always be done since network injection is an attack vector that's known to be actively used, e.g. by Pegasus).
@bl4x1 There are signatures verified by the update client and it makes sure the new version is equal or greater than the previous version. Install process has firmware verification built-in and has people check OS verified boot key post-install. CLI install has users verify the install zip.
Our app repo has all the metadata signed including what's in which release channel. OS updates themselves are signed but we plan to sign release channel metadata for them as an extra layer of protection.