On 5/5/24 01:05, Rodney Baker wrote:
On Sunday, 5 May 2024 04:44:09 ACST Lew Wolfgang wrote:

Hi Folks,

Is there a way to maintain local copies of the openSUSE repositories?
Maintenance includes keeping the local repos up-to-date by downloading
only the deltas between the remote and local repos.

I know how to do this using the Red Hat "reposync" program, a part
of the yum/dnf package, but it just doesn't feel right having to
depend on Red Hat for what would appear to be core functionality.

Note:  I can't use rsync due to policy constraints.  But web ports 80
and 443 are okay.  I know, go figure...

 Do you need to maintain full copies of the repos locally, or would proxying/
caching requests to the repos for installs/updates be good enough? 

I've used apt-cacher-ng at home and in our corporate network for providing 
updates for machines that don't have outbound internet access. It caches files 
locally the first time they're requested and then serves them from the cache 
for subsequent requests. 

It works for zypper and yum as well as apt, but the mechanism is slightly 
different. For zypper and yum it's necessary to modify the repo URL to point 
to the apt-cacher-ng service on port 3142 (there are 2 documented ways do to 
that), whereas with apt it's a one-liner in a config file. The port can be 
changed if needed (e.g. to 8080 or any other arbitrary port). 

Apt-cacher-ng is available for openSUSE (including TW) but it's necessary to 
add the server:proxy repo to get it.

Thanks for the suggestion Rodney.  But in my case it really makes sense to
have a completely local copy of repositories.  My off-network machines are
completely off-network, the only way to import data is to carry physical
media down the hallway and plug it in after checking for malware. 

Having a local copy also allows easy creation of deltas using rsync.  The size
of the repos this morning is 1.3-TB, and since corporate policy demands that
the media to import data be used only once,  it would become expensive
to sacrifice a disk drive every week.  But the changes from week to week will
fit onto a 32-GB SDcard, which can reasonably be used once and thrown away.
I've got hundreds of them in my desk drawer. 

A local copy also allows malware scanning.  Clamav works fine, and while
it might not be the best choice for detection it's enough to check the box.
I updated my local repo last night and ran clamscan on it, the results are
included below.   Clamav unpacks rpm's, so it really is a valid exercise.
This was run on an oldish desktop, I'm sure it would be faster on a modern
box.  The repo selection is the standard enabled suite for Leap 15.5, including
Packman and Nvidia, except the openh264 repo which seems to be having
a mirror problem right now.

Here's the Clamav report:

Known viruses: 8692269
Engine version: 0.103.11
Scanned directories: 165
Scanned files: 326923
Infected files: 0
Data scanned: 726747.85 MB
Data read: 1336155.75 MB (ratio 0.54:1)
Time: 28876.391 sec (481 m 16 s)
Start Date: 2024:05:04 20:40:55
End Date:   2024:05:05 04:42:12

Regards,
Lew