hi all, On Sun, Nov 30, 2008 at 12:54:34PM +0100, Timm Preetz wrote:
I think ftp.archlinux.org can be pretty slow sometimes (compared to near-by mirrors), so wouldn't it be equally sufficient to just fetch the DB-checksum from archlinux.org?
(Still not as secure as signed DBs though.)
the db.tar.gz file is pretty small. the extra.db.tar.gz file is about 400kb. ok, it is also possible to ge only the db checksum, but the idea is that the db file itself should be in a trusted place. with 2-3 "trusted servers" users can choose a server in a near location (.org, .de or .fr for example). On Sun, Nov 30, 2008 at 01:40:07PM +0100, Gerhard Brauer wrote:
Am Sun, 30 Nov 2008 12:54:34 +0100 schrieb Timm Preetz <timm@preetz.us>:
I think ftp.archlinux.org can be pretty slow sometimes (compared to near-by mirrors), so wouldn't it be equally sufficient to just fetch the DB-checksum from archlinux.org?
This is not possible cause mirrors sync times are different, so the result was: newer package versions in the db - but the package file is not available on users mirror. (I've had make the same request earlier in a bugtracker thread, without thinking a bit deeper... ;-)
Regards Gerhard
yes, i also thought about that. that's why i suggested to establish a db file repository with a file retention of some days (mirrors ususally sync every 2h-24h). the new db.tar.gz now looks like <repo_name>-<file_creation_time>.db.tar.gz and the mirror fetches the latest db file from this repository when sync'ing. pacman checks the time (name) of the db file on the mirror and fetches this file from db file repo of a "trusted server". i don't think this is hard to implement. it's only a file name and md5sum comparison. imo it's the easiest way to do this. it's easier and less work than to sign packages or similar. as a byproduct one can keep track of existing mirrors and users can directly see if mirrors they use are trustworthy or not. just my 2 cents. vlad