this post was submitted on 13 Jan 2024
8 points (75.0% liked)

Arch Linux

7763 readers
7 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS
 

Arch wiki page on reflector states that:

Make sure the resulting /etc/pacman.d/mirrorlist does not contain entries that you consider untrustworthy before syncing or updating with pacman.

The question is, how should I know if a mirror is trustworthy or not?

top 13 comments
sorted by: hot top controversial new old
[–] wwwgem@lemmy.ml 17 points 10 months ago (3 children)

Personally I use reflector like so:

reflector --verbose --country "United States" -l 200 -p http --sort rate --save /etc/pacman.d/mirrorlist

[–] driveway@lemmy.zip 3 points 10 months ago (1 children)

How does this answer the question?

[–] wwwgem@lemmy.ml 1 points 10 months ago

Reflector relies on ArchLinux mirror status but limit the list you will end up using based on options like the country. This can already limit the "risk" even though the mirrors only grant you access to the packages so it's basically a list of URL.
The risk will be to install untrusted packages or use "Siglevel=Never" if you have allowed such things in your system. Similarly if you use AUR it's highly recommended to check the PKGBUILD before installation.

[–] Thorned_Rose@kbin.social 2 points 10 months ago (1 children)

Bonus cookie if you hook it into pacman.

[–] Cwilliams@beehaw.org 1 points 10 months ago (1 children)
[–] Thorned_Rose@kbin.social 1 points 10 months ago (2 children)

Assuming you mean teach you how this is done? If so, it would appear that hooking into pacman is no longer the best way to do this (TBF, my Arch installs run for many years without reinstall so I'm not always up to date on best practices lol). Seems that setting up reflector as a systemd timer is now the preferred method.

https://wiki.archlinux.org/title/Reflector#pacman_hook

[–] wwwgem@lemmy.ml 2 points 10 months ago

Right. I personaly run it as part of a script when I clean the pacman cache with the Scc options.
A note about this command: it deletes from the cache all past versions of installed packages and all uninstalled packages. This will prevent downgrading or reinstalling packages without downloading them again. One may prefer using less aggressive options or paccache.

[–] Cwilliams@beehaw.org 1 points 10 months ago
[–] costalfy@programming.dev 1 points 10 months ago
[–] victorz@lemmy.world 7 points 10 months ago (2 children)

Well, mine is the university five minutes from my neighborhood, and I basically know the people who run it. So it's pretty obvious to me, personally. I just picked that one manually and deleted all the others (kept a few that were closest to me geographically, but commented-out, as backup if something were to go wrong).

[–] CrabAndBroom@lemmy.ml 2 points 10 months ago

Same here, I don't know the people but I just use my local uni's computer science club cause I just think it's endearing lol

[–] driveway@lemmy.zip 2 points 10 months ago (1 children)

I'm just using the kernel.org mirror for now but I should look into unis too. Good idea.

[–] victorz@lemmy.world 1 points 10 months ago

I hope you find one that works for you! 😊👍