FS#11573 : Optional load repo database from other server

Historical bug tracker for the Pacman package manager.

The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues

This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.

FS#11573 - Optional load repo database from other server

Attached to Project: Pacman
Opened by Gerhard Brauer (GerBra) - Wednesday, 24 September 2008, 09:50 GMT
Last edited by Xavier (shining) - Wednesday, 24 September 2008, 13:31 GMT

Task Type	Feature Request
Category	Backend/Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version	3.2.0
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Xavier (shining) (2008-09-24) Gerhard Brauer (GerBra) (2008-09-24)
Private	No

Details

I would like to have an Option (general or per repo) to choose from which server i download the current $repo.db.tar.gz during an -Sy.

The md5sum check is our only integrity check on a package. So if we could choose a trusted source location for the database it was more difficult to manipulate packages on an hacked or malicious mirror.

The implementation could be:
* Without a setting all db files are downloaded from ftp.archlinux.org
* User could set an other generally location in pacman.conf
* User could set it per repo in pacman.conf

I could not provide a patch (no C experience) but i think this could be easilier implemented as package signing, and could be a first step of pacman security framework.

This task depends upon

Closed by Xavier (shining)
Wednesday, 24 September 2008, 13:31 GMT
Reason for closing: Won't implement
Additional comments about closing: see comments

Comments (4)
Related Tasks (0/0)

Comment by Dan McGee (toofishes) - Wednesday, 24 September 2008, 13:02 GMT

~~FS#5331~~ is the only viable way to solve the problem; this sounds like just another workaround.

1) ftp.archlinux.org is just another mirror anyway, so could be easily hacked.
2) Even if done, this would need to be done in some distro-agnostic way.
3) md5sums are in no way a security feature. They are *only* for a quick check that the download was successful.

Comment by Xavier (shining) - Wednesday, 24 September 2008, 13:14 GMT

Additionally, mirrors usually don't all sync at the same time, so this would cause a lot of issues, as well as adding complexity, for a rather small benefit in the end.

It is also important to consider that work on package signing has already started :
http://code.toofishes.net/gitweb.cgi?p=pacman.git;a=shortlog;h=refs/heads/gpg
We just need people interested to finish this work.

Comment by Gerhard Brauer (GerBra) - Wednesday, 24 September 2008, 13:23 GMT

Xavier, you're right - i don't thought enough on syncing (me->idiot, i have to know this problem!)

To you both: ok, better let manpower go to work on signing packages instead of workarounds.
So you could close this feature resquest.

Comment by Xavier (shining) - Wednesday, 24 September 2008, 13:30 GMT

Ahah, I also thought you had to know about this syncing issue :) But don't worry, it happens to anyone.
I will close now.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Pacman

FS#11573 - Optional load repo database from other server

Details

Loading...