[arch-general] Making pacman check multiple repos
Allan McRae
allan at archlinux.org
Sun Dec 13 06:08:37 EST 2009
Jeroen Op 't Eynde wrote:
> On 12/13/2009 10:02 AM, Nathan Wayde wrote:
>> On 13/12/09 08:48, Ng Oon-Ee wrote:
>>> On Sun, 2009-12-13 at 03:31 -0500, Qadri wrote:
>>>>
>>>> So should it be a function of the program to make sure that happens?
>>>> Or is a
>>>> responsibility of the user? Should the functionality be programmed into
>>>> pacman to make sure that happens, or should we be asking that users
>>>> be aware
>>>> of what repos they're using?
>>>
>>> Well said, I agree. I believe that if separate db and package downloads
>>> are implemented it should not be so users can be 'up-to-the-minute' in
>>> packages, but for greater security.
>>>
>>> In fact, now that I think about it, having two dbs (one on the mirror
>>> with all packages as available on that mirror and one 'master' with a
>>> list of authoritative checksums) would make sense, as it fulfils the
>>> security aspect well while avoiding the problem of db/package mismatch.
>>> The 'master' db would have to have a history of previous checksums as
>>> well.
>>>
>>>
>> One possible alternative to explicitly storing a history of checksums is
>> to checksum the dbfile, and name it as such. instead of core.db.tar.gz,
>> you'd have have core.[checksum].db.tar.gz and these would be stored for
>> some time on the master. In order to make it secure the standard
>> checksums would have to be upgraded to something with less collisions
>> than md5.
>> Of-course this also raises the question of 'what happens when the master
>> goes down?'.
>
> I'm following this topic, and I a bit with Qadri. I think it should
> be/stay the responsibility of the user.
> My solution to get up-to-the-minute packages is very simple:
> -put ftp.archlinux.org on top of the mirrorlist
> -do pacman -Sy
> -comment ftp.archlinux.org out of the mirrorlist
> -do pacman -Su
> And then it goes through the list of servers for the latest packages.
>
> Change the way how the mirrors and how updating works is unnecessary IMHO.
ftp.archlinux.org is technically a mirror and is not even the most up to
date mirror most of the time...
More information about the arch-general
mailing list