[aur-general] pkgstats and unused [community] packages

[PyroPeter]

On 10/27/2010 02:03 AM, Kaiting Chen wrote:
> On Tue, Oct 26, 2010 at 10:55 AM, PyroPeter<abi1789 at googlemail.com>  wrote:
>> To actually track the tcp-traffic (indirectly containing the name of
>> the requested package) archlinux.org would have to _proxy_ the traffic
>> (_all_ data would go _twice_ through their network infrastructure).
>> This would make the concept of mirrors useless.
>>
>> The other possibility would be a round-robin domain name
>> (like e.g. irc.freenode.net). This way archlinux.org could only
>> log that a connection was made, but not which packages were requested.
>> (Additionally all mirrors would have to use the same folder hierarchy)
>>
>> TL,DR: There is no technical way to monitor all package downloads.
>>
>>
>> Regards, PyroPeter
> Not true, Arch could set up a round robin proxy to other mirrors such that
> when a package is requested it returns a HTTP 302 or HTTP 303 redirect. Then
> the only network traffic routed through Arch servers would only be the
> request HTTP headers which is quite insubstantial but would still allow real
> package statistics to be retrieved.
>
> Kaiting.

Yes, you are right.

This would even allow to host the package lists at archlinux.org
(I assume they include checksums of the archives) which would
help with the security concerns (non-signed packages, etc...) as
you would not be forced to trust the mirrors any longer.
(as long as you did not use MD5 for the hashes ;-) )

Regards, PyroPeter
-- 
freenode/pyropeter                          "12:50 - Ich drücke Return."