[arch-general] Making pacman check multiple repos

[Nathan Wayde]

On 13/12/09 12:02, Xavier wrote:
> On Sun, Dec 13, 2009 at 12:49 PM, Heiko Baums<lists at baums-on-web.de>  wrote:
>> Am Sun, 13 Dec 2009 09:02:16 +0000
>> schrieb Nathan Wayde<kumyco at konnichi.com>:
>>
>>> Of-course this also raises the question of 'what happens when the
>>> master goes down?'.
>>
>> Or gets hacked?
>>
>
> The changes you talked about don't really make that problem any worse
> than it already is.
> If master goes down or gets hacked, all mirrors are syncing from it
> anyway (directly or indirectly) so you are fucked.
>
> If you worry about it going down, then you provide other masters (you
> can give money or hardware or hosting)
> If you worry about getting hacked, you use signatures (you can give
> money or code)
>
Then i propose another spin on it, layer the extra checksums on top of 
what is there now.

Store a copy of the db file as e.g [checksum].db, this goes on a set of 
master servers, when the user syncs with their mirror a checksum is 
generated based on the db file that was downloaded, this checksum is 
then used to get a the [checksum].db from a master server and this new 
[checksum].db file is used to do the sync update.

The issue of a master going down is gone, if you really cannot download 
from a master then let the user decides what they want to do - you have 
a copy of a proper .db file so you could use it if the user decides they 
want to.

In the event that that a corresponding [checksum].db does not exist on a 
master then you know something has gone wrong. I can't imagine a master 
would be out of date compared to another mirror (remember this is about 
storage of the db files, not packages the idea is that [checksum].db 
would be uploaded first) but in case it was then you could just add a 
timestamp inside the .db (.lastupdate?) for extra verification.

That on on top signing sounds almost perfect to me.