[arch-general] [arch-dev-public] Can we trust our mirrors?

vlad vla at uni-bonn.de
Sun Nov 30 09:09:04 EST 2008 

hi all,

On Sun, Nov 30, 2008 at 12:54:34PM +0100, Timm Preetz wrote:
>
> I think ftp.archlinux.org can be pretty slow sometimes (compared to
> near-by mirrors), so wouldn't it be equally sufficient to just fetch the
> DB-checksum from archlinux.org?
>
> (Still not as secure as signed DBs though.)

the db.tar.gz file is pretty small. the extra.db.tar.gz file is about
400kb. ok, it is also possible to ge only the db checksum, but the idea
is that the db file itself should be in a trusted place.
with 2-3 "trusted servers" users can choose a server in a near location
(.org, .de or .fr for example).

On Sun, Nov 30, 2008 at 01:40:07PM +0100, Gerhard Brauer wrote:
> Am Sun, 30 Nov 2008 12:54:34 +0100
> schrieb Timm Preetz <timm at preetz.us>:
>
> > I think ftp.archlinux.org can be pretty slow sometimes (compared to
> > near-by mirrors), so wouldn't it be equally sufficient to just fetch
> > the DB-checksum from archlinux.org?
>
> This is not possible cause mirrors sync times are different, so the
> result was: newer package versions in the db - but the package file is
> not available on users mirror.
> (I've had make the same request earlier in a bugtracker thread, without
> thinking a bit deeper... ;-)
>
> Regards
>       Gerhard

yes, i also thought about that. that's why i suggested to establish a db file repository
with a file retention of some days (mirrors ususally sync every 2h-24h).
the new db.tar.gz now looks like <repo_name>-<file_creation_time>.db.tar.gz and
the mirror fetches the latest db file from this repository when sync'ing.
pacman checks the time (name) of the db file on the mirror and fetches
this file from db file repo of a "trusted server".
i don't think this is hard to implement. it's only a file name
and md5sum comparison.
imo it's the easiest way to do this. it's easier and less work than to sign packages
or similar.
as a byproduct one can keep track of existing mirrors and users can directly see
if mirrors they use are trustworthy or not.
just my 2 cents.

vlad

More information about the arch-general mailing list