On 10/27/2010 02:03 AM, Kaiting Chen wrote:
On Tue, Oct 26, 2010 at 10:55 AM, PyroPeter<[email protected]> wrote:
To actually track the tcp-traffic (indirectly containing the name of
the requested package) archlinux.org would have to _proxy_ the traffic
(_all_ data would go _twice_ through their network infrastructure).
This would make the concept of mirrors useless.
The other possibility would be a round-robin domain name
(like e.g. irc.freenode.net). This way archlinux.org could only
log that a connection was made, but not which packages were requested.
(Additionally all mirrors would have to use the same folder hierarchy)
TL,DR: There is no technical way to monitor all package downloads.
Regards, PyroPeter
Not true, Arch could set up a round robin proxy to other mirrors such that
when a package is requested it returns a HTTP 302 or HTTP 303 redirect. Then
the only network traffic routed through Arch servers would only be the
request HTTP headers which is quite insubstantial but would still allow real
package statistics to be retrieved.
Kaiting.
Yes, you are right.
This would even allow to host the package lists at archlinux.org
(I assume they include checksums of the archives) which would
help with the security concerns (non-signed packages, etc...) as
you would not be forced to trust the mirrors any longer.
(as long as you did not use MD5 for the hashes ;-) )
Regards, PyroPeter
--
freenode/pyropeter "12:50 - Ich drücke Return."
