[arch-general] [arch-dev-public] Can we trust our mirrors?
Gerhard Brauer
gerhard.brauer at web.de
Sun Nov 30 10:06:35 EST 2008
Am Sun, 30 Nov 2008 15:09:04 +0100
schrieb vlad <vla at uni-bonn.de>:
>
> yes, i also thought about that. that's why i suggested to establish a
> db file repository with a file retention of some days (mirrors
> ususally sync every 2h-24h).
...
> just my 2 cents.
IMHO this could not be handled in practice. We will end in a zillion of
different *.db.tar.gz files, cause the "main" db file could change
every minute/hour by a dev and mirrors don't sync every day in practice.
But more important: At the moment we can't guarantee the integrity of
*one* db file, with your solution we can't guarantee it for 100 db
files. That the file is (maybe) downloaded over a unsecure transport
from a mirror (ftp.archlinux.org are mirrors too) that **could** be
ftp.archlinux.org make it IMHO not more trusted.
> vlad
Regards
Gerhard
More information about the arch-general
mailing list