Skip to main content
Topic: New primary mirror (Read 18392 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: New primary mirror

Reply #15
On a couple of my machines, I strangely got GnuPG errors trying to pull packages from system-testing so I had to delete the /etc/pacman.d/gnupg directory and then repopulate all the keys. After that, it all worked fine. Just FYI in case anyone lurking encounters the same issue.

Re: New primary mirror

Reply #16
Quote from: Dudemanguy – on
On a couple of my machines, I strangely got GnuPG errors trying to pull packages from system-testing so I had to delete the /etc/pacman.d/gnupg directory and then repopulate all the keys. After that, it all worked fine. Just FYI in case anyone lurking encounters the same issue.
You did not read and follow the instructions correctly

Re: New primary mirror

Reply #17
Quote from: mandog – on
You did not read and follow the instructions correctly
Well sure, maybe I screwed up somewhere. One of my other computers migrated without any problems at all, so I at least fluked doing it correctly once. Like it I said earlier, it was just an FYI for anyone who might have the same issue. I wasn't intending to complain or anything.

Re: New primary mirror

Reply #18
We shouldn't expect everything from the huge team of artix engineers, I think we should organize and do some work ourselves.  Like starting a FAQ thread to be adopted on the web-page.
On Arch-OpenRC people were generally assumed to have made that step from Arch.  Same with Manjaro.  Here we may have people coming to Artix not knowing a thing about Arch or Manjaro and shouldn't have to.
What system-world-galaxy-extra-community-AUR is, must be defined and explained for Artix and not forwarding individually everytime to some Arch page for explanation.
Nevertheless, the forum should be the place to address problems. Whether they are system induced or user induced that is what we are here to figure out.

So here it is;  https://artixlinux.org/forum/index.php/topic,39

Re: New primary mirror

Reply #19
Ok, I tried to cheat and jump the gun, I noticed the world and galaxy testing repositories being constructed and gave them a try. 
Unfortunately I didn't just look but updated some packages through them.  Now it will not bring gui up.  I have this one installation where I log in to console and start X up manually when I want.  It boots to console fine, no errors, and Xorg has no errors or warnings.  So the problem is on sddm.  The screen, apparently a stuck xsession, is black with a blinking cursor on top left.
I am trying to locate what is new and reverse the damage.  :)  
Curiosity keeps the cat awake

an hour later - reedit:  No error on sddm log or anywhere I can find.  Sddm says it started with no errors, I just didn't see any of it.
From sddm I would log in to openbox manually, the only desktop I had.  Starting sddm as root or as user didn't make any difference.  So I don't know how to debug the problem.

Re: New primary mirror

Reply #21
Ok I will try this, meanwhile there were some updates, a third mirror for Artix, and cairo-something.
Before trying the reversal I tried to see if lightdm would work, it didn't.  Just returned to prompt.
So I decided to try lxdm, and it did work.  Everything running fine.
So now I will try -Suu and try sddm again.  I'm still in debian thinking mode where once you move up to testing
you are on a different distribution and can't revert, not easily anyway.

UPDATE:  Yes, thank you, it did work.  Sddm runs again and the difference I believe was in the mesa-17.02-0-3/17.02-0-2 package.

Re: New primary mirror

Reply #23
I thought I should mention this since no one else did, but bash in system-testing is older than the one in system. Does bash have the wrong version number in system-testing or is it just an older build?

system-testing/bash 4.4.012-2 (base) [installed: 4.4.012-3]
    The GNU Bourne Again shell
system/bash 4.4.012-3 (base) [installed]
    The GNU Bourne Again shell

Thanks @artoo @nous

Re: New primary mirror

Reply #24
Quote from: nous – on
We provide quality packages with nothing to hide! Joking aside, package mirrors don't really need https, the content is public.

Well, https helps mitigate man-in-the-middle attacks and some packet sniffing. It gives an extra blanket of security on top of the package signing to verify data sent/retrieved from the server. So if someone spoofs the server for some inane reason(for the lols I guess), they have to forge the server's certificate. Again if someone's signing key was stolen/cracked the black hat would need to forge the server's certificate before they impersonated the server with malicious package(s) and have these package(s) propagate throughout all the server mirrors.

If the isos return to the main server, https:// would help prevent altered isos from be downloaded from an unauthorized redirected site(s). Isos that many people do not checksum before using I might add. (Bad, bad users!)

So https:// complements our checksums, signed packages, and package databases. And furthermore https is a useful tool for servers even if it is not a cure-all against bad stuff happening altogether to our main server.

Here is a more in-depth explanation and, frankly, I think does it better than I did:
Quote
In general, you can't trust anything on an unsecured connection on any network where a MITM could be present (ie, you don't have complete physical control and security of the routing and wiring). A Man in the Middle could monitor and alter any unsecured connection by pretending to be you to the host and pretending to be the host to you. Neither system would be aware of the presence. The file could be entirely replaced or executable could be altered or replaced to do malicious things quite easily.

There are, however, a number of ways to prevent this. Authenticated connections such as HTTPS guarantee that only two end points (at least one of which is trusted) can communicate. In brief, HTTPS works by the server having a special piece of information that the browser can validate is the server you think it is. That information can then be used to send a key generated by your client to the trusted server in a way that only the server can understand. Because the MitM doesn't know the newly shared key, the server can then respond using that key to encrypt the connection and the MitM can no longer observe or alter the meaningful contents of that communication and any alterations would cause it to appear as gibberish (or possibly be detected based on the protocol in use).

Another technique is called checksums. A checksum is a small piece of information that can be independently provided to validate a much larger file. It generally consists of a hash of the file that is being sent which can then be rehashed after receipt in order to ensure the file didn't have any errors in transmission. If the checksum and the file are obtained from different connections, it is a little more difficult for the MitM to alter both, however it could still be possible for both to be altered. The checksum could also be cryptographically signed by the file distributor to ensure the checksum can not be altered by the MitM.

The best method is to combine the two approaches and include a cryptographically signed checksum that validates that the file came from the sender while also communicating the file over a secure connection. This ensures that the data isn't corrupted during transmission and also ensures that it comes from the expected host.
From an AJ Henderson on https://security.stackexchange.com/questions/19981/mitm-can-a-binary-file-be-changed-or-swapped-enroute

Here is some more generic reading:
Quote
Man-in-the-middle attacks allow attackers to intercept, send and receive data never meant to be for them without either outside party knowing until it is too late.
From: https://www.veracode.com/security/man-middle-attack

Re: New primary mirror

Reply #25
Here is some more advice from a site that already has a working implementation of modifying binaries in transit.

Quote
Companies and developers need to make the conscious decision to host binaries via SSL/TLS, whether or not the binaries are signed. All people, but especially those in countries hostile to “Internet freedom,” as well as those using Tor anywhere, should be wary of downloading binaries hosted in the clear.

http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries

It is good read.

Re: New primary mirror

Reply #27
Quote from: fungalnet – on
Instructions as I see them clear, because all of the above seemed very confusing.

1  edit /etc/pacman.conf and uncomment the [system-testing] and the line below it.
Not the world and galaxy testing, they are not ready yet.
2  edit /etc/pacman.d/mirrorlist and add 
Code: [Select]
Server = http://mirror1.artixlinux.org/repos/$repo/os/$arch
https is not working as of 20170912 - 12 UTC  but it may work in the near future?  For now use http
3  pacman -Syyu



this is good but it is not correct.  There is no testing lines in pacman.conf

Re: New primary mirror

Reply #28
Quote from: nous – on
We are moving away from Sourceforge hosting, main reason being the restriction of colon characters (':') in filenames, which breaks the package database with epoch-versioned packages. Our new primary mirror is active and serving. The rest of the mirrors will sync soon.

To use the new repo, you must enable [system-testing] above [system]. After updating artix-mirrorlist from [system-testing], users will need to rename /etc/pacman.d/mirrorlist.pacnew to /etc/pacman.d/mirrorlist and re-sync.

Code: [Select]
pacman -Sy system-testing/artix-mirrorlist

After that, you can comment-out [system-testing] and wait until the updates make it to [system], or be guinea pigs bold and brave testers and report any issues.

it is very important that the section
[system-testing]
Include = /etc/pacman.d/mirrorlist

be added (and not just the line as in the instructions #Enable [system-testing] )



Re: New primary mirror

Reply #29
How come there are packages in [system] that are later versions of [system-testing]?
For example "bash" and "linux-api-headers" as examples, if not the only ones.