[Dev] Cleaning up the repos

Luke Shumaker lukeshu at sbcglobal.net
Sat Nov 29 18:41:31 GMT 2014


At Sat, 29 Nov 2014 01:07:44 +0000,
laigualdad wrote:
> The main repo is repo.parabola.nu, right? I presume that is the one
> that the others sync with.

Yes; though some are probably trying to sync with
repo.parabolagnulinux.org, which should be the same server, but the
domain has expired.

> There is a directory called "latest" which contains the image from
> last year. :) It looks like potential confusion could be prevented
> by simply deleting it, since the "2013.09.01" directory is
> identical.

If you browse to <https://repo.parabola.nu/iso/>, you can see that
"latest" is a symlink to "2013.09.01".

It was never updated to point to "2014.06.01" because nobody was
willing to sign the ISO, as it was contributed instead of created by
one of the normal developers (he's a normal contributor now, but
wasn't at the time).

I'm updating it to point to 2014.10.07 now.

> The other repos that are not identical simply seem to have not
> synced in a while, but I know that's typical in a small distro.
> 
> In the most recent directory, "2014.10.07", an .sfv (Simple
> verification) file is provided rather than a checksum
> file. Scratching my head at this. Before now, I'd never even heard
> of SFV. A quick search gives me many sources saying that SFV cannot
> be used to verify a file's authenticity. Even MD5 hashes are
> better. However, these days, we shouldn't use anything less than
> SHA-2 hashes (sha256sum, for example), because everything weaker has
> been broken!

The checksums are only a quick check if the file/download was
corrupted; authenticity should be verified with the PGP '.sig' file.

--
Happy hacking,
~ Luke Shumaker



More information about the Dev mailing list