[arch-general] [arch-dev-public] Can we trust our mirrors?
vla at uni-bonn.de
vla at uni-bonn.de
Sat Nov 29 23:03:11 EST 2008
> perhaps i missed something, but wouldn´t be the easiest way to download
> the db.tar.gz directly from ftp.archlinux.org or another trusted server
> and the packages from the mirrors? something like a decentralized system.
sorry. i wasn´t very explicit in my previous mail.
my idea is this:
first there should 2-3 trusted servers in case one fails or is offline.
on these servers there should be a db.tar.gz repository with a hold-back
time of 5-10 days.
the db.tar.gz files should now look like <repo>-$(date).db.tar.gz.
everytime a maintainer updates a package and a new db.tar.gz file is
created, it goes to this db repository. when a mirror syncs, the latest
<repo>-$(date).db.tar.gz is fetched.
now when a user updates his/her system, pacman checks the
<repo>-$(date).db.tar.gz file on the mirror, fetches this file form the db
repository of a trusted server and then downloads the packages from the
mirror.
pacman compares the package md5sums with the ones in the db.tar.gz file
from the trusted server and proceeds as usual.
so one can also see if a mirror is corrupted and change the mirror and
perhaps contact the maintainer.
vlad
More information about the arch-general
mailing list