Mick wrote: > On Thursday 26 Jan 2017 15:08:25 Dale wrote: >> That's my thinking as well. I recall not long ago that I caught a bad >> sync.. It was several days later that I was able to get a good one >> and even then, it required me to switch to another mirror. I think in >> my case, someone decided to shut down that mirror but for some >> reason, only removed some of the files there. Some very obvious >> packages were missing. I noticed several KDE packages and even some >> that are in @system missing. > I recall 12-13 years ago there was a proposal to improve security by > sync'ing with different mirrors and diffing the output. I seem to > recall someone had hacked a mirror and interfered with the tree served > by it. The proposal was not taken up because it would double up the > load on the mirrors and of course two mirrors may not be in exactly > the same state at a particular point in time.
I'm not on dial-up anymore but I wouldn't want to have to do that twice either. My DSL is not *that* fast. I've had bad syncs in the past. It is rare but it does happen. Anytime I get something really weird, I try to check and see what the tree looks like. One can also scroll back up and see what all was changed, file wise anyway. I recall those discussion and have seen security mentioned since as well. While I think it is not likely, it could happen. Thing is, the tree is a moving target as you mention. It never really stops being changed. Given the world wide nature of the devs, there is almost always someone changing something. To download it twice and compare would be interesting to see. Talk about a hat trick. ;-) I suspect that if a hacker wanted to screw things up, they would find a way. It doesn't hurt to try and keep it to a minimum tho. I wish I could recall what server I was using. Dale :-) :-)
