On Monday 18 December 2006 09:30, Carlos E. R. wrote:
The Sunday 2006-12-17 at 18:45 -0600, Rajko M. wrote:
Some other neat features which are still unsupported are inclusion of PGP signatures and some other stuff.
That is what is necessary to verify source of files.
IMO, it would be suficient to sign the xml metalink file itself. As it contains the md5sum check of the image, that would enough to certify that what you downloaded was the correct signed file.
Also, segment md5sums could be used to certify mirror sites: if a segment downloaded from a site doesn't check, and a retry fails again, that would mark that site as "bad" or bogus or whatever.
An alternative is to sign the image, but that would be better done by the image provider/maker.
Tricky problem! ;-)
I haven't time to read specifications, so I can't say is verification included and if it is what method is used. Bryan mentioned that it will come in future versions of aria2.
The metalink might be good to distribute load on servers, but it needs improvements.
Now each client is testing servers independently. This produces some overhead that can be skipped if traffic data will be collected to central server from clients that start using metalink and after that metalink file will be changed to point to free resources ie. servers that show good performance.
The problem is not trivial, as change in metalink file will change distribution of the load and than reports will be changed. That means that we have feedback that has to be regulated to prevent system to go wild and lock everybody out.
Another problem is that each client should use minimum number of connections ie. servers to reach maximum download speed and than stop asking for more as each server has its maximum, so it will prevent others to download.
I have more questions than answers, and some reading is pending :-)