Results 1 to 6 of 6

Thread: How much can I trust the mirrors of opensuse repos?

  1. #1

    Default How much can I trust the mirrors of opensuse repos?

    My internet connection is not stable to official repo url e.g http://download.opensuse.org/tumbleweed/repo/non-oss/

    Let's say I find a mirror to which my connection is much faster. I have doubt if I can trust them though. Can't they provide fake packages that intends to compromise my system? How viable is that kind of attack?
    openSUSE Leap 15.0

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,631
    Blog Entries
    3

    Default Re: How much can I trust the mirrors of opensuse repos?

    As far as I know, this should be safe.

    I'm not sure of the details. I think the repo meta-data is digitally sign (with an opensuse key for the main repos and a packman key for the packman repo). And I think the meta-data contains file hashes to verify the rpms in the repo. The rpms are probably signed also, but I have seen zypper accept packages where the rpm was signed by an unknown key. I think the real check is in the meta-data.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,631
    Blog Entries
    3

    Default Re: How much can I trust the mirrors of opensuse repos?

    I'll add a general comment on my experience with Tumbleweed.

    My normal practice is to do:
    Code:
    zypper up libsolv-tools libzypp zypper rpm
    That is usually quite slow. The delay is in downloading the metadata. Often it finds that there's nothing to update, but that's okay. The time was not wasted.

    Next, I do:
    Code:
    zypper dup
    That normally uses the metadata already downloaded by the previous command. This command is occasionally very slow, but usually at a decent speed.

    It looks as if metadata always comes from opensuse.org, while the rpms can come from mirrors. Hence the usual better speed for the second command. If I happen to do an update shortly after a new snapshot was published, then the "zypper dup" is slow. That's probably because the mirrors have not yet been update, and mirrorbrain is smart enough to usually not send me to a stale mirror.

    I also download the DVD iso around once per month (for a test install). I use "aria2c" for this. If I get in too soon after the snapshot was published, the download is slow. It often speeds up after a while. If I check the ".meta4" file used, then if I download too early it contains only the main site and no additiional mirror, hence the slow download. However, it speeds up after a while. My best guess is that the main download site is initially overloaded with mirrors updating and users who are doing early updates. But, as the mirrors come into operation, that takes some of the load off the main site and speed improves.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  4. #4

    Default Re: How much can I trust the mirrors of opensuse repos?

    Quote Originally Posted by nrickert View Post
    I'll add a general comment on my experience with Tumbleweed.

    My normal practice is to do:
    Code:
    zypper up libsolv-tools libzypp zypper rpm
    That is usually quite slow. The delay is in downloading the metadata. Often it finds that there's nothing to update, but that's okay. The time was not wasted.

    I should do this every time for an update? or just once?

    Next, I do:
    Code:
    zypper dup
    That normally uses the metadata already downloaded by the previous command. This command is occasionally very slow, but usually at a decent speed.

    It looks as if metadata always comes from opensuse.org, while the rpms can come from mirrors. Hence the usual better speed for the second command. If I happen to do an update shortly after a new snapshot was published, then the "zypper dup" is slow. That's probably because the mirrors have not yet been update, and mirrorbrain is smart enough to usually not send me to a stale mirror.

    I also download the DVD iso around once per month (for a test install). I use "aria2c" for this. If I get in too soon after the snapshot was published, the download is slow. It often speeds up after a while. If I check the ".meta4" file used, then if I download too early it contains only the main site and no additiional mirror, hence the slow download. However, it speeds up after a while. My best guess is that the main download site is initially overloaded with mirrors updating and users who are doing early updates. But, as the mirrors come into operation, that takes some of the load off the main site and speed improves.
    I usually use "zypper up" for regular updates. You suggest that I should use dup for TW update coz it then can receive updates from mirrors?
    openSUSE Leap 15.0

  5. #5

    Default Re: How much can I trust the mirrors of opensuse repos?

    I just followed your suggestion but my dup still hangs there for about 10 mins without no progress or warning.


    Maybe I have reported this in another thread, that there's sth wrong with zypper updating with an unstable connection.


    Try doing an update and then turn off your router. Very likely zypper will hang there forever.
    openSUSE Leap 15.0

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,631
    Blog Entries
    3

    Default Re: How much can I trust the mirrors of opensuse repos?

    Quote Originally Posted by bonedriven View Post
    I usually use "zypper up" for regular updates. You suggest that I should use dup for TW update coz it then can receive updates from mirrors?
    No. Either "up" or "dup" should use mirrors. It's the metadata that apparently avoids mirrors.

    Whether to use "up" or "dup" is a different decision. In my case, everything comes from either the standard repos or Packman, and I have given Packman a priority of 98 (with 99 for the others), so that Packman should be preferred. Using "dup" allows vendor change, which is roughly the same as switching vendors. Using "up" disallows vendor change. For what I am using, vendor change is usually okay -- typically it is opensuse --> packman, though I occasionally see a vendor change in the other direction probably due to a dependency issue.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •