[arch-general] [arch-dev-public] Can we trust our mirrors?
Timm Preetz
timm at preetz.us
Sun Nov 30 06:54:34 EST 2008
On Sun, 2008-11-30 at 04:22 +0100, vla at uni-bonn.de wrote:
> Am So, 30.11.2008, 00:24, schrieb Aaron Griffin:
>
> > All we'd need is to patch repo-add to include signature data in the
> > DB. To do this properly, signatures should be uploaded with the
> > package itself, from the packager's machine... hmmm
> >
> perhaps i missed something, but wouldn´t be the easiest way to download
> the db.tar.gz directly from ftp.archlinux.org or another trusted server
> and the packages from the mirrors? something like a decentralized system.
I think ftp.archlinux.org can be pretty slow sometimes (compared to
near-by mirrors), so wouldn't it be equally sufficient to just fetch the
DB-checksum from archlinux.org?
(Still not as secure as signed DBs though.)
More information about the arch-general
mailing list