Talk:Reflector

From ArchWiki
Jump to: navigation, search

About example 4, the script

I don't understand the reason we have in the first line of the script the command

wget -O /etc/pacman.d/mirrorlist.backup https://www.archlinux.org/mirrorlist/all/

It seams completely unuseful because reflector download the mirrorlist itself.

speedytux (talk) 07:13, 24 April 2015 (UTC)

It looks to me like it just makes sure there's a backup of the whole mirror list, in case reflector borks. Schultzter (talk) 14:13, 24 April 2015 (UTC)

Security concerns with untrustworthy mirrors

The article warns the user to check the resulting list for untrustworthy mirrors. This seems nonsensical to me, as the packages are signed, to mitigate exactly this security concern. Checking the version history reveals, that the warning first appeared very early in the editing process (compare [1]), being reworded and moved by multiple users since then. The original note does not warn the users of "untrustworthy mirrors", but rather of "strange entries", leaving an ambiguity, whether the note is about malicious mirrors, or malformed entries (as might occur through a bug in reflector itself). As the ArchMirrorStatus-page does not carry a warning about malicious mirrors and as signing should make creating malicious mirrors impossible, I assume that the latter is the case.

As this is possibly a security-relevant issue, I have put this discussion thread up first and will only modify the page if nobody raises concerns.

Nuvanda (talk) 11:43, 20 April 2016 (UTC)

Packages are signed, but the package databases are not. i.e. an attacker could add or replace arbitrary packages with his own. -- Alad (talk) 11:47, 20 April 2016 (UTC)
However this would (according to [2]) require the attacker to be a trusted user, as the key signing the forged package needs to be cross-signed with one of the master signing keys. Or am I mistaken? -- Nuvanda (talk) 16:02, 20 April 2016 (UTC)