2012/5/28 Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2012-05-28 02:10, Nelson Marques wrote:
For the speed, I told you several times already that the data and metadata come for different servers in different countries. Two different sources.
Hmmz... this is interesting... imagine you have metadata refreshened, but the local mirrors haven't updated yet... what prevents zypper from having erratic behavior. If you know any docs about it share it with me... It's actually an interesting to look at to know how this is handled.
I don't have documentation or links about this, but believe me it is true. What I know is simply from reading what devs have posted about this on several occasions.
Part of the metadata (the parts vary depending on the openSUSE versions; in recent versions it is less) is always downloaded directly from the openSUSE server, and is cryptographically signed.
If a mirror does not contain the rpm wanted, it can not be downloaded, it will fail; I do not know if the redirector keeps track of what packages contain each mirror and redirect to the appropriate one. I think it does.
If a mirror contains a manipulated rpm, as the metadata is downloaded directly from openSUSE the manipulation should be detected.
However, if your repo list points to the mirrors directly, this is broken.
My repo files have been hacked in the baseurl to use a national mirror, this is mainly because it's updated every four hours and takes advantage of 'gigapix' (PIX = Portuguese Internet eXchange), the major peering point in Portugal for all ISP's, that's the default gay2way for national traffic. But still what you say doesn't make much sense, because the keys are actually the ones from openSUSE, so the RPMs verification should still work. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org