[arch-general] Making pacman check multiple repos

Ng Oon-Ee ngoonee at gmail.com
Fri Dec 11 18:20:16 EST 2009 

On Sat, 2009-12-12 at 00:54 +0200, Rogutės Sparnuotos wrote:
> Aaron Griffin (2009-12-11 15:38):
> > On Fri, Dec 11, 2009 at 3:14 PM, Brendan Long <korin43 at gmail.com> wrote:
> > > For a little while I've been confused because pacman -Syu always said
> > > that everything was up to date (for a week or more). I talked to a
> > > friend at school and he had the same thing happening and I realized
> > > something might be wrong and commented out mirrors one at a time until I
> > > found one with updates (I think easynews is the one I used). The new
> > > update comes with a mirrorlist that doesn't contain the mirror I was
> > > using before (gigenet)
> > >
> > > The problem is that there's no warning that something is wrong with the
> > > old mirrors, so I'd like to suggest some sort of test so that if no
> > > updates are found for some amount of time, pacman tries a known good
> > > mirror (like the main one). To save on bandwidth, it might work best to
> > > make it only check the main repo for an updated package list and then
> > > tries the normal mirrors until it finds one with a matching package
> > > list.
> > >
> > > I'm not sure how complicated this would be be, or how worthwhile it is
> > > (I suppose Arch users are more likely than most to realize that
> > > something is wrong when updates stop), but I think it would be helpful
> > > to have some sort of test to make sure you're not updating off a
> > > seriously out of date mirror.
> > 
> > Well, technically there's nothing "wrong" with the mirror. No one
> > defined "matching archlinux.org exactly" to be "right".
> > 
> > That said, there was some discussion in the past to use one server for
> > DB files and another for packages. That'd cover this case here - get
> > the db files from archlinux.org and use other servers for packages.
> 
> Having DB files in a central place would do much trust wise. Currently,
> one has to totally trust a mirror, because a mirror has total control
> over the contents of binary packages and their checksums. But I guess this
> is what the past discussion was about?
> 
While I'm not as concerned about security as some (most) here, I do
think "db files from one site and packages from another" is a good idea.
(some) Mirrors will be slow, however, and there will be additional
complexity since the db would perhaps be several steps ahead of most
mirrors. For example if package foo-1.2 is installed, package foo-1.4 is
in the db, and package foo-1.3 is in the mirror, pacman would have to be
smart enough to install foo-1.3....

More information about the arch-general mailing list