Hello All.
Maybe it is time to start providing general anonymous access to resources over rsync protocol.
Technically we can do the following:
We now have resources files on a separate shared disk, we can create a new vm specially for rsync (and possible move all other protocols there) and then mount it read-only there so we mitigate any security risks and will never be able to change files from that vm. This is how we planned to improve resources initially.
The only thing is that afaik rsync protocol is not authenticated and encrypted. There is nothing secret on resources, but the files might be tampered along the way and I am not sure all rpms there have crypto signatures.