this post was submitted on 13 Jan 2024
8 points (75.0% liked)

Arch Linux

7763 readers
7 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS
 

Arch wiki page on reflector states that:

Make sure the resulting /etc/pacman.d/mirrorlist does not contain entries that you consider untrustworthy before syncing or updating with pacman.

The question is, how should I know if a mirror is trustworthy or not?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] driveway@lemmy.zip 3 points 10 months ago (1 children)

How does this answer the question?

[โ€“] wwwgem@lemmy.ml 1 points 10 months ago

Reflector relies on ArchLinux mirror status but limit the list you will end up using based on options like the country. This can already limit the "risk" even though the mirrors only grant you access to the packages so it's basically a list of URL.
The risk will be to install untrusted packages or use "Siglevel=Never" if you have allowed such things in your system. Similarly if you use AUR it's highly recommended to check the PKGBUILD before installation.