[Dev] Using pacman2pacman by default

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Sat Mar 12 17:49:31 GMT 2016


On Sat, 12 Mar 2016 12:01:56 +0000 (GMT)
<nicolasmaia at tutanota.com> wrote:

> Widespread usage of pacman2pacman would greatly reduce the load on
> our tiny number of mirrors, and make us immune to server downtimes.
> IMO it should be bundled by default with all our distro variants.

What are the consequences of that?
- Would people be able to download all their updates this way? Would
  there be some torrent mirrors (available 24/24) to make sure of that?

- Would people be able to get get the latest database in a trusted way? 

- Is pacman2pacman still sequential, or can it download updates in
  parallel?
  If it's still sequential, one slow download will block the rest,
  dramatically reducing its download speed.
  If it's faster, many people would switch to it.
  Some people have more than one machine[2] of the same architecture
  under parabola, and that result in downloading the updates more than
  once.
  Transmission claims to support Local Peer discovery[3], but how to
  verify that it's actually used when using pacman2pacman?
  I didn't succeed in verifying it.

- Security and privacy wise, http(s) works trough Tor. How does that
  compares to the encryption on torrents.
  Personally I use Tor here to make it harder to attack my computers: a
  global attacker monitoring the Internet or a big portion of it would
  have a hard time figuring out if an exploit would work since it
  wouldn't know in advance which packages are installed and which
  version (to know if they are up to date or not).
  To contrast that, note that Parabola, and Arch don't have good
  policies dealing with building the packages[1].

References:
-----------
[1] We don't have reproducible builds, and, as I understand it,
    individual developers upload their binary packages.
    Since Arch ships non-free software, this isn't good at all for
    security, since their developers probably uses that too.
    It also result in a multiple point of failure, any of the developers
    might (knowing it or not) upload compromised packages.
    Is I understand it, we use many of their packages as-is.
[2] Physical or virtual.
[3] https://en.wikipedia.org/wiki/Local_Peer_Discovery

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160312/806ba50e/attachment.sig>


More information about the Dev mailing list