About example 4, the script
I don't understand the reason we have in the first line of the script the command
wget -O /etc/pacman.d/mirrorlist.backup https://www.archlinux.org/mirrorlist/all/
It seams completely unuseful because reflector download the mirrorlist itself.
Security concerns with untrustworthy mirrors
The article warns the user to check the resulting list for untrustworthy mirrors. This seems nonsensical to me, as the packages are signed, to mitigate exactly this security concern. Checking the version history reveals, that the warning first appeared very early in the editing process (compare ), being reworded and moved by multiple users since then. The original note does not warn the users of "untrustworthy mirrors", but rather of "strange entries", leaving an ambiguity, whether the note is about malicious mirrors, or malformed entries (as might occur through a bug in reflector itself). As the ArchMirrorStatus-page does not carry a warning about malicious mirrors and as signing should make creating malicious mirrors impossible, I assume that the latter is the case.
As this is possibly a security-relevant issue, I have put this discussion thread up first and will only modify the page if nobody raises concerns.
- Packages are signed, but the package databases are not. i.e. an attacker could add or replace arbitrary packages with his own. -- Alad (talk) 11:47, 20 April 2016 (UTC)