From Carlos:
The Sunday 2006-12-17 at 18:45 -0600, Rajko M. wrote:
Some other neat features which are still unsupported are inclusion of PGP signatures and some other stuff.
That is what is necessary to verify source of files.
IMO, it would be suficient to sign the xml metalink file itself. As it contains the md5sum check of the image, that would enough to certify that what you downloaded was the correct signed file.
That is definitely a possibility.
Also, segment md5sums could be used to certify mirror sites: if a segment downloaded from a site doesn't check, and a retry fails again, that would mark that site as "bad" or bogus or whatever.
Yes.
An alternative is to sign the image, but that would be better done by the image provider/maker.
Tricky problem! ;-)
Yes, hopefully whoever makes the ISO will sign them (if they're interested in this). Here's the currently unimplemented idea for metalink, which could change if the clients find out it is clumsy or bad once they start putting it into practice. For those unfamiliar, Linux Kernels (linux-2.6.19.1.tar.bz2) are signed with a separate file (linux-2.6.19.1.tar.bz2.sign) which looks like this: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: See http://www.kernel.org/signature.html for info iD8DBQBFfdY4yGugalF9Dw4RAhpVAJ91gKuKakVYF8VPltPwalOi0/1WcQCfQR1A TAtxcYJjqogTkkvcUoTD34I= =68Ad -----END PGP SIGNATURE----- This can be easily inside the Metalink, like this: <verification> <signature type="pgp" file="linux-2.6.19.1.tar.bz2.sign"> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: See http://www.kernel.org/signature.html for info iD8DBQBFfdY4yGugalF9Dw4RAhpVAJ91gKuKakVYF8VPltPwalOi0/1WcQCfQR1A TAtxcYJjqogTkkvcUoTD34I= =68Ad -----END PGP SIGNATURE----- </signature> </verification> Or just listed as another file within the metalink <resources> <url>http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.19.1.tar.bz2.sign </url> </resources> At the least, a client could recognize when a signature is included in the metalink and tell the client to verify it manually gpg --verify linux-2.6.19.1.tar.bz2.sign linux-2.6.19.1.tar.bz2 But, I'm hoping it won't be too hard to automate this.
From Rajko:
The metalink might be good to distribute load on servers, but it needs improvements.
Now each client is testing servers independently. This produces some overhead that can be skipped if traffic data will be collected to central server from clients that start using metalink and after that metalink file will be changed to point to free resources ie. servers that show good performance.
The problem is not trivial, as change in metalink file will change distribution of the load and than reports will be changed. That means that we have feedback that has to be regulated to prevent system to go wild and lock everybody out.
Yes, there is currently no program that monitors the mirror servers and dynamically updates .metalink files according to mirror load. I see this as being really useful at the busiest times, but maybe not as critical during normal times. But I might be wrong. I do think it would be really cool if someone was interested and would work on it tho.
Another problem is that each client should use minimum number of connections ie. servers to reach maximum download speed and than stop asking for more as each server has its maximum, so it will prevent others to download.
Yes, aria2 uses 15 connections to 15 different servers by default AFAIR. This can be changed with command line options. Or if a distribution shipped a binary, they could decide on a number they felt was better. I believe all the other clients go by whatever options the user has set, (I don't know the defaults off hand for all of them). It would be nice if clients could recognize they were downloading at the users maximum speed for their connection with 2 connections, so please don't open up 13 more. It might be hard to fine tune what is most efficient. For dialup users, 1 is probably plenty. For me on cable, 4-6 is usually good in most conditions. I'd also like to find a number that is respectful to mirror server resources. (( Anthony Bryan )) Metalink [ http://www.metalinker.org ] --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org