From ArchWiki
Latest comment: 26 September 2021 by Stuthtle in topic Overwriting Default Mirrorlist

Overwriting Default Mirrorlist

The warning at the top of the page stated that reflector overwrites /etc/pacman.d/mirrorlist by default. That is untrue. By default it prints a mirrorlist to STDOUT. The user must pass an option with a path to the default file to overwrite it (or any other file), which is what the following examples do, but that is a choice of the page's author(s), not reflector. Incidentally, I do not recommend using reflector for automatic updating of the system mirrorlist. It should be used to generate a list that is inspected by the user and only then move to the default location for system use. Xyne (talk) 23:08, 7 July 2016 (UTC)Reply[reply]

Good correction on that it actually just prints to STDOUT by default. Concerning the potential untrustworthiness of a mirror, how do you determine that? I thought reflector uses the official mirror list and that all packages were signed (see above)? -- Rdeckard (talk), ArchWiki Maintainer 01:48, 8 July 2016 (UTC)Reply[reply]
It does use the official mirrorlist API. Although the packages are signed, the databases are not. There are discussions on the forum and elsewhere about the potential exploits. I believe that replay attacks were the main concern, i.e. a malicious mirror could push old (signed) versions of packages with known vulnerabilities. As for which mirrors to trust, there is no simple answer. All of the mirrors are implicitly trusted but I do not know how they vet potential mirrors before inclusion. There is no way that the devs can rigorously verify the trustworthiness of each mirror. Beyond the mirror hosts, some users may wish to avoid mirrors in some countries due to possible government or corporate interference. As a rule of thumb, choose a mirror in a country with decent privacy and protection laws with a host that you know or at least one which has been around for a while and maybe involved in the open source community in other ways. Note that security concerns are only for database synchronization. Once you have those, you can download the signed packages from any host you want (which is what powerpill/bauerbill do for parallel package downloads). Xyne (talk) 20:53, 13 July 2016 (UTC)Reply[reply]

How much of a risk is overwriting /etc/pacman.d/mirrorlist by default? Reflector has a filter for mirror score. What are the chances a high 'mirror score' will be malicious? Manual inspection is, well, manual. Users can assess the relative risk and decide for themselves. Perhaps use a note for it instead of a warning. Stuthtle (talk) 19:09, 26 September 2021 (UTC)Reply[reply]