https://wiki.archlinux.org/title/Develo … ling_lists mentions a mailing list and an email address.
Maybe use one of those ?
https://archlinux.org/mirrors/ doesn't appear to list any tor mirrors, maybe you would like to be the first one to provide a tier 2 mirror using a .onion domain ?
Some derivative distros had onion mirrors, not sure what the situation looks like today.
Maybe folks start to have onion mirrors, but the first step would be to have an Arch policy as response to the quote:
BTW what is Arch gatekeepers stance on 2-tier mirrors provided via onion addresses, are there some semi-official servers to try sync from?
https://archlinux.org/mirrors/ doesn't appear to list any tor mirrors, maybe you would like to be the first one to provide a tier 2 mirror using a .onion domain ?
]]>Did you notice this is an over two month old thread?
How does that relevant to the subject?
In either case, not sure what “reducing privacy surface” is. Automatic and manual renewals peform the same operations and send the same data, so there is no direct difference in privacy. If one would really want to find one, it’s with manual renewals: it reveals server operator’s activity patterns. With 4 datapoints a year this is garbage data of course. Not sure, what kind of attack vector does automatic renewal introduces compared to manual one.
Reducing privacy surface means expanding vulnerabilities to traffic analysis and fingerprinting. I didn't mean to distinguish auto and manual renewing but rather the mere requirement to use certs causing periodic regular extra connections to the third party.
Regarding Tor HS access: I am not the right person to give authoritative response on Arch’s stance. Fortunately Tor’s stance on pushing large amounts of data over Tor is known for years and it is negative (1, 2), because it puts unreasonable load on the network. A second problem is that, unless additional steps are taken, the requested packages set fingerprints the machine.
Tor wasn't made to keep in museum. Throttling is OK and even desirable for many sensible scenarios. The fingerprinting argument is laughable as Clearnet connections has zero protection there. Hopefully Arch won't trail in the tail distro and will mitigate resiliency concerns by allowing and encouraging more decentralizing syncing of its repos in a privacy conscious manner.
]]>In either case, not sure what “reducing privacy surface” is. Automatic and manual renewals peform the same operations and send the same data, so there is no direct difference in privacy. If one would really want to find one, it’s with manual renewals: it reveals server operator’s activity patterns. With 4 datapoints a year this is garbage data of course.
Not sure, what kind of attack vector does automatic renewal introduces compared to manual one.
Regarding Tor HS access: I am not the right person to give authoritative response on Arch’s stance. Fortunately Tor’s stance on pushing large amounts of data over Tor is known for years and it is negative (1, 2), because it puts unreasonable load on the network. A second problem is that, unless additional steps are taken, the requested packages set fingerprints the machine.
Daklon:
While users should use HTTPS, a server offering a plaintext alternative may still be of value. This shouldn’t normally be needed, but in some rare cases the user may have certificate chains broken or no TLS support. Then non-TLS connections remain the only option.
BTW what is Arch gatekeepers stance on 2-tier mirrors provided via onion addresses, are there some semi-official servers to try sync from?
]]>http or https support