Denis 'GNUtoo' Carikli writes:
> On Sun, 14 Feb 2016 20:42:02 +
> Josh Branning wrote:
>
>> Thanks for telling about this. I commented out the line and it seems
>> to work ok for now.
> It does, after upgrading you can even put back the new default
> mirrorlist since it has been updated.
>
>
On Sun, 14 Feb 2016 20:42:02 +
Josh Branning wrote:
> Thanks for telling about this. I commented out the line and it seems
> to work ok for now.
It does, after upgrading you can even put back the new default
mirrorlist since it has been updated.
My main concerns about that issue are:
-> Many
On 13/02/16 22:06, Denis 'GNUtoo' Carikli wrote:
Hi,
Summary:
If you used the default pacman mirrorlists, your system is not up to
date.
http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch was the default
mirror in /etc/pacman.d/mirrorlist
Thanks for telling about this. I comment
On Sat, 13 Feb 2016 23:06:38 +0100
Denis 'GNUtoo' Carikli wrote:
> I should also do a proper bugreport.
Now that parabola infrastructure is back up, I can now bugreport.
Here it is: https://labs.parabola.nu/issues/933
Denis.
pgpGDu4srS5Ap.pgp
Description: OpenPGP digital signature
_
On Sat, 13 Feb 2016 23:06:38 +0100
Denis 'GNUtoo' Carikli wrote:
Someone mentioned reflector to me on IRC:
> usage: Reflector.py [-h] [--connection-timeout n] [--list-countries]
> [--cache-timeout n] [--save ]
> [--sort {score,delay,rate,age,country}]
> [--
On Sun, 14 Feb 2016 11:59:39 -0300
fauno wrote:
> Denis 'GNUtoo' Carikli writes:
> > As for shorter term, we probably need to make sure the mirrorlist is
> > coming from a trusted mirror that can be updated.
> >
> > We should of course use transports that can't be tempered with, such
> > as http
In order for upgrades to be safe, signatures are not enough.
This is because most old packages are signed with a key that is
trusted by the system being updated.
Even if db are signed, that stills applies.
The main idea is to:
-> Prevent MITM attacks. This should be done soon
Denis 'GNUtoo' Carikli writes:
> As for shorter term, we probably need to make sure the mirrorlist is
> coming from a trusted mirror that can be updated.
>
> We should of course use transports that can't be tempered with, such
> as https or onion services it. Else a man in the middle can just
> re
Hi,
Summary:
If you used the default pacman mirrorlists, your system is not up to
date.
http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch was the default
mirror in /etc/pacman.d/mirrorlist
That mirror was not updated for a while, so people using the default
configuration are still