[Dev] Using pacman2pacman by default
Denis 'GNUtoo' Carikli
GNUtoo at no-log.org
Sat Mar 12 17:49:31 GMT 2016
On Sat, 12 Mar 2016 12:01:56 +0000 (GMT)
<nicolasmaia at tutanota.com> wrote:
> Widespread usage of pacman2pacman would greatly reduce the load on
> our tiny number of mirrors, and make us immune to server downtimes.
> IMO it should be bundled by default with all our distro variants.
What are the consequences of that?
- Would people be able to download all their updates this way? Would
there be some torrent mirrors (available 24/24) to make sure of that?
- Would people be able to get get the latest database in a trusted way?
- Is pacman2pacman still sequential, or can it download updates in
If it's still sequential, one slow download will block the rest,
dramatically reducing its download speed.
If it's faster, many people would switch to it.
Some people have more than one machine of the same architecture
under parabola, and that result in downloading the updates more than
Transmission claims to support Local Peer discovery, but how to
verify that it's actually used when using pacman2pacman?
I didn't succeed in verifying it.
- Security and privacy wise, http(s) works trough Tor. How does that
compares to the encryption on torrents.
Personally I use Tor here to make it harder to attack my computers: a
global attacker monitoring the Internet or a big portion of it would
have a hard time figuring out if an exploit would work since it
wouldn't know in advance which packages are installed and which
version (to know if they are up to date or not).
To contrast that, note that Parabola, and Arch don't have good
policies dealing with building the packages.
 We don't have reproducible builds, and, as I understand it,
individual developers upload their binary packages.
Since Arch ships non-free software, this isn't good at all for
security, since their developers probably uses that too.
It also result in a multiple point of failure, any of the developers
might (knowing it or not) upload compromised packages.
Is I understand it, we use many of their packages as-is.
 Physical or virtual.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Dev