[arch-general] Making pacman check multiple repos

Sun Dec 13 06:25:02 EST 2009

On 12/13/2009 12:08 PM, Allan McRae wrote:
> Jeroen Op 't Eynde wrote:
>> On 12/13/2009 10:02 AM, Nathan Wayde wrote:
>>> On 13/12/09 08:48, Ng Oon-Ee wrote:
>>>> On Sun, 2009-12-13 at 03:31 -0500, Qadri wrote:
>>>>>
>>>>> So should it be a function of the program to make sure that happens?
>>>>> Or is a
>>>>> responsibility of the user? Should the functionality be programmed
>>>>> into
>>>>> pacman to make sure that happens, or should we be asking that users
>>>>> be aware
>>>>> of what repos they're using?
>>>>
>>>> Well said, I agree. I believe that if separate db and package downloads
>>>> are implemented it should not be so users can be 'up-to-the-minute' in
>>>> packages, but for greater security.
>>>>
>>>> In fact, now that I think about it, having two dbs (one on the mirror
>>>> with all packages as available on that mirror and one 'master' with a
>>>> list of authoritative checksums) would make sense, as it fulfils the
>>>> security aspect well while avoiding the problem of db/package mismatch.
>>>> The 'master' db would have to have a history of previous checksums as
>>>> well.
>>>>
>>>>
>>> One possible alternative to explicitly storing a history of checksums is
>>> to checksum the dbfile, and name it as such. instead of core.db.tar.gz,
>>> you'd have have core.[checksum].db.tar.gz and these would be stored for
>>> some time on the master. In order to make it secure the standard
>>> checksums would have to be upgraded to something with less collisions
>>> than md5.
>>> Of-course this also raises the question of 'what happens when the master
>>> goes down?'.
>>
>> I'm following this topic, and I a bit with Qadri. I think it should
>> be/stay the responsibility of the user.
>> My solution to get up-to-the-minute packages is very simple:
>> -put ftp.archlinux.org on top of the mirrorlist
>> -do pacman -Sy
>> -comment ftp.archlinux.org out of the mirrorlist
>> -do pacman -Su
>> And then it goes through the list of servers for the latest packages.
>>
>> Change the way how the mirrors and how updating works is unnecessary
>> IMHO.
>
> ftp.archlinux.org is technically a mirror and is not even the most up to
> date mirror most of the time...
>
>

Ok, good to know that than. Could anyone point me to most up to date 
mirror maybe, so my solution would be successful? Or is that the problem 
we're discussing in this topic?

The servers below seem to be stay very up-to-date according to 
https://www.archlinux.de/?page=MirrorStatus

ftp://mirror.giantix-server.de/archlinux/$repo/os/x86_64
ftp://mirrors.kernel.org/archlinux/

-- 
Jeroen Op 't Eynde
jeroen at xprsyrslf.be
http://xprsyrslf.be

How to set up a cheap professional hosting @ XprsYrslf.be
See my latest work: www.jhdeput.be