[Dev] Cleaning up the repos

Michał Masłowski mtjm at mtjm.eu
Sat Nov 29 07:57:04 GMT 2014

> The main repo is repo.parabola.nu, right? I presume that is the one
> that the others sync with.


> There is a directory called "latest" which contains the image from
> last year. :) It looks like potential confusion could be prevented by
> simply deleting it, since the "2013.09.01" directory is identical.

This needs fixing.

> The other repos that are not identical simply seem to have not synced
> in a while, but I know that's typical in a small distro.

Most mirrors are outdated or broken now [0].  I think not all mirrors
get all files: some exclude e.g. mips64el, maybe some isos too.

[0] https://www.parabola.nu/mirrors/status/

> In the most recent directory, "2014.10.07", an .sfv (Simple
> verification) file is provided rather than a checksum file. Scratching
> my head at this. Before now, I'd never even heard of SFV. A quick
> search gives me many sources saying that SFV cannot be used to verify
> a file's authenticity. Even MD5 hashes are better. However, these
> days, we shouldn't use anything less than SHA-2 hashes (sha256sum, for
> example), because everything weaker has been broken!

I think we should remove all checksum files and include a GPG signature
using SHA-2.  This probably needs fixing our key signing policy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20141129/101102d6/attachment.sig>

More information about the Dev mailing list