Michał Masłowski <[email protected]> writes: > Gaming4JC asked on #parabola for mirror efficiency improvement ideas, > since parabola.goodgnus.com.ar has much traffic. > > My observations: > > - first mirror in /etc/pacman.d/mirrorlist is preferred; > parabola.goodgnus.com.ar is first > - IPv6-only mirrors lead to IPv4-only users getting mysterious errors > - mirrors break, so users cannot get newer mirrorlist to use working > ones > - usually at least one of the Parabola servers works > - distrowatch.com once linked to an ISO on my server using nearly all > of my monthly bandwidth (improved since) > > Proposed solution: > > - have only one default mirror: > > # Parabola GNU/Linux-libre > > Server = http://mirror.parabola.nu/$repo/os/$arch > > - add mirror.parabola.nu NS records pointing to some slave servers, > have master on a server running nsd > - generate the zone file in this way: > - use a master list of mirrors with responsible and location data > - test each mirror: get e.g. libre/os/x86_64/libre.db, check if > it's not too old, if this work, add its IPv4 address to an A > record, IPv6 to AAAA > - have small TTLs for these records and small slave refresh time > - post a news item on https://parabolagnulinux.org/, ask users to > update to the new mirror list > - measure bandwidth use of mirrors, should be more uniform afterwards
+1 i'm using owns[1] to manage my zones on nsd and it needs a little love :) [1]: https://github.com/fauno/owns > Expected results: > > - a random mirror is used by each user for some time > - systems use IPv6 mirrors if the have IPv6, IPv4-only otherwise > - broken mirrors won't be used after name servers update the zone > > Problems: > > - the master server needs IPv4 and IPv6, parabolagnulinux.org and > repo.parabolagnulinux.org don't have IPv6; any plans to change this? parabolagnulinux.org has ipv6 through librevpn (which gateways through my node...) > - one problem is intentionally missing from this list D: > - no HTTPS for mirrors; not needed for authenticity nor integrity: > packages are signed; repo dbs should be signed too; is it needed for > confidentiality? i.e. do standard traffic analysis attacks on > public static data published over HTTPS work on it? do we need > confidentiality for it? it'd be nice if an attacker wouldn't know the software you use? how's pacman behaving with http redirects? -- :D
pgpe6w6hiE61p.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabolagnulinux.org/mailman/listinfo/dev
