[Dev] Using pacman2pacman by default

Luke g4jc at openmailbox.org
Sat Mar 12 18:22:11 GMT 2016

On 03/12/2016 12:49 PM, Denis 'GNUtoo' Carikli wrote:
> What are the consequences of that?
> - Would people be able to download all their updates this way? Would
>   there be some torrent mirrors (available 24/24) to make sure of that?

We could use webseeds for this, but due to limitations of bittorrent it
is HTTP only. That is rather insecure overall...
> - Would people be able to get get the latest database in a trusted way? 
Good question.
> - Is pacman2pacman still sequential, or can it download updates in
>   parallel?
>   If it's still sequential, one slow download will block the rest,
>   dramatically reducing its download speed.
>   If it's faster, many people would switch to it.
>   Some people have more than one machine[2] of the same architecture
>   under parabola, and that result in downloading the updates more than
>   once.
>   Transmission claims to support Local Peer discovery[3], but how to
>   verify that it's actually used when using pacman2pacman?
>   I didn't succeed in verifying it.
> - Security and privacy wise, http(s) works trough Tor. How does that
>   compares to the encryption on torrents.
>   Personally I use Tor here to make it harder to attack my computers: a
>   global attacker monitoring the Internet or a big portion of it would
>   have a hard time figuring out if an exploit would work since it
>   wouldn't know in advance which packages are installed and which
>   version (to know if they are up to date or not).
>   To contrast that, note that Parabola, and Arch don't have good
>   policies dealing with building the packages[1].
No idea. Transmission does allow for encryption, not sure how good it
is. It is not made for anonymity by nature.

You brought up some good points. :)
> References:
> -----------
> [1] We don't have reproducible builds, and, as I understand it,
>     individual developers upload their binary packages.
>     Since Arch ships non-free software, this isn't good at all for
>     security, since their developers probably uses that too.
>     It also result in a multiple point of failure, any of the developers
>     might (knowing it or not) upload compromised packages.
>     Is I understand it, we use many of their packages as-is.
> [2] Physical or virtual.
> [3] https://en.wikipedia.org/wiki/Local_Peer_Discovery
> Denis.
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160312/274c6beb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160312/274c6beb/attachment.sig>

More information about the Dev mailing list