[Dev] Using pacman2pacman by default
Luke
g4jc at openmailbox.org
Sat Mar 12 18:22:11 GMT 2016
On 03/12/2016 12:49 PM, Denis 'GNUtoo' Carikli wrote:
>
> What are the consequences of that?
> - Would people be able to download all their updates this way? Would
> there be some torrent mirrors (available 24/24) to make sure of that?
We could use webseeds for this, but due to limitations of bittorrent it
is HTTP only. That is rather insecure overall...
>
> - Would people be able to get get the latest database in a trusted way?
Good question.
>
> - Is pacman2pacman still sequential, or can it download updates in
> parallel?
> If it's still sequential, one slow download will block the rest,
> dramatically reducing its download speed.
> If it's faster, many people would switch to it.
> Some people have more than one machine[2] of the same architecture
> under parabola, and that result in downloading the updates more than
> once.
> Transmission claims to support Local Peer discovery[3], but how to
> verify that it's actually used when using pacman2pacman?
> I didn't succeed in verifying it.
>
> - Security and privacy wise, http(s) works trough Tor. How does that
> compares to the encryption on torrents.
> Personally I use Tor here to make it harder to attack my computers: a
> global attacker monitoring the Internet or a big portion of it would
> have a hard time figuring out if an exploit would work since it
> wouldn't know in advance which packages are installed and which
> version (to know if they are up to date or not).
> To contrast that, note that Parabola, and Arch don't have good
> policies dealing with building the packages[1].
No idea. Transmission does allow for encryption, not sure how good it
is. It is not made for anonymity by nature.
You brought up some good points. :)
>
> References:
> -----------
> [1] We don't have reproducible builds, and, as I understand it,
> individual developers upload their binary packages.
> Since Arch ships non-free software, this isn't good at all for
> security, since their developers probably uses that too.
> It also result in a multiple point of failure, any of the developers
> might (knowing it or not) upload compromised packages.
> Is I understand it, we use many of their packages as-is.
> [2] Physical or virtual.
> [3] https://en.wikipedia.org/wiki/Local_Peer_Discovery
>
> Denis.
>
>
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160312/274c6beb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160312/274c6beb/attachment.sig>
More information about the Dev
mailing list