> The main repo is repo.parabola.nu, right? I presume that is the one > that the others sync with.
Yes. > There is a directory called "latest" which contains the image from > last year. :) It looks like potential confusion could be prevented by > simply deleting it, since the "2013.09.01" directory is identical. This needs fixing. > The other repos that are not identical simply seem to have not synced > in a while, but I know that's typical in a small distro. Most mirrors are outdated or broken now [0]. I think not all mirrors get all files: some exclude e.g. mips64el, maybe some isos too. [0] https://www.parabola.nu/mirrors/status/ > In the most recent directory, "2014.10.07", an .sfv (Simple > verification) file is provided rather than a checksum file. Scratching > my head at this. Before now, I'd never even heard of SFV. A quick > search gives me many sources saying that SFV cannot be used to verify > a file's authenticity. Even MD5 hashes are better. However, these > days, we shouldn't use anything less than SHA-2 hashes (sha256sum, for > example), because everything weaker has been broken! I think we should remove all checksum files and include a GPG signature using SHA-2. This probably needs fixing our key signing policy.
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
