You are not logged in.
- Topics: Active | Unanswered
#1 2024-11-18 21:33:10
- xerxes_
- Member
- Registered: 2018-04-29
- Posts: 776
[Solved] Question about niranjan servers and rogue servers
What are these *.arch.niranjan.co servers from different countries from mirrors status page? They create some network cluster or something like that?
Last edited by xerxes_ (Yesterday 15:17:38)
Offline
#2 2024-11-19 09:29:18
- xerxes_
- Member
- Registered: 2018-04-29
- Posts: 776
Re: [Solved] Question about niranjan servers and rogue servers
Is it possible for someone to put some rogue server(s) on server list site https://archlinux.org/mirrors/status/, especially on "Successfully Syncing Mirrors" list?
Offline
#3 2024-11-19 09:40:27
- mithrial
- Member
- Registered: 2017-03-05
- Posts: 50
Re: [Solved] Question about niranjan servers and rogue servers
It looks like a global fleet of servers especially for different countries. What do you mean by "rogue servers"?
Offline
#4 2024-11-19 15:56:20
- xerxes_
- Member
- Registered: 2018-04-29
- Posts: 776
Re: [Solved] Question about niranjan servers and rogue servers
What do you mean by "rogue servers"?
I mean by that that some server(s) may do/try some suspicious/nasty actions/attacks to do, for example:
- when arch keyring package has new version, different version of it with some other hashes related to some package maintainers, may be send to updating clients, so later alternative packages with malware may be later send to clients using that server(s),
- that server(s) may collect information about connecting and updating clients (for example: IP address, location, list and number of updated packages, etc.) to for example: limit number of updated packages for clients from other countries or block them all (so only clients from same country may update from this server).
That are just examples that came to my mind, but someone can come up with something else.
Does someone checks servers for unusual/evil behavior witch normal/good server doesn't do? Did in the past someone seen some unusual/suspicious/evil update server behavior? What are requirements to set up an update server and connect it to arch servers infrastructure?
Last edited by xerxes_ (2024-11-19 16:00:36)
Offline
#5 2024-11-19 18:54:43
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,032
Re: [Solved] Question about niranjan servers and rogue servers
- when arch keyring package has new version, different version of it with some other hashes related to some package maintainers, may be send to updating clients, so later alternative packages with malware may be later send to clients using that server(s),
pacman by default would refuse to install archlinux-keyring unless it is signed. If a bad actor already has a valid signing key what is the advantage to the bad actor of changing archlinux-keyring?
Offline
#6 Yesterday 10:58:03
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 12,925
Re: [Solved] Question about niranjan servers and rogue servers
- that server(s) may collect information about connecting and updating clients (for example: IP address, location, list and number of updated packages, etc.) to for example: limit number of updated packages for clients from other countries or block them all (so only clients from same country may update from this server).
In theory possible, but those kind of data can be collected by any server for anything you download from them.
The methods you use to keep such data private as much as possible for all your network traffic should work fine for pacman also .
If you want to know more about the *.niranjan servers , try asking the person who set them up .
You can also look at the archlinux mirror Mailing list which (I think) is where new mirrors apply to get added to our mirrorlist .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline