You are not logged in.

#1 2024-11-18 21:33:10

xerxes_
Member
Registered: 2018-04-29
Posts: 801

[Solved] Question about niranjan servers and rogue servers

What are these *.arch.niranjan.co servers from different countries from mirrors status page? They create some network cluster or something like that?

Last edited by xerxes_ (2024-11-20 15:17:38)

Offline

#2 2024-11-19 09:29:18

xerxes_
Member
Registered: 2018-04-29
Posts: 801

Re: [Solved] Question about niranjan servers and rogue servers

Is it possible for someone to put some rogue server(s) on server list site https://archlinux.org/mirrors/status/, especially on "Successfully Syncing Mirrors" list?

Offline

#3 2024-11-19 09:40:27

mithrial
Member
Registered: 2017-03-05
Posts: 51

Re: [Solved] Question about niranjan servers and rogue servers

It looks like a global fleet of servers especially for different countries. What do you mean by "rogue servers"?

Offline

#4 2024-11-19 15:56:20

xerxes_
Member
Registered: 2018-04-29
Posts: 801

Re: [Solved] Question about niranjan servers and rogue servers

mithrial wrote:

What do you mean by "rogue servers"?

I mean by that that some server(s) may do/try some suspicious/nasty actions/attacks to do, for example:
- when arch keyring package has new version, different version of it with some other hashes related to some package maintainers, may be send to updating clients, so later alternative packages with malware may be later send to clients using that server(s),
- that server(s) may collect information about connecting and updating clients (for example: IP address, location, list and number of updated packages, etc.) to for example: limit number of updated packages for clients from other countries or block them all (so only clients from same country may update from this server).

That are just examples that came to my mind, but someone can come up with something else.

Does someone checks servers for unusual/evil behavior witch normal/good server doesn't do? Did in the past someone seen some unusual/suspicious/evil update server behavior? What are requirements to set up an update server and connect it to arch servers infrastructure?

Last edited by xerxes_ (2024-11-19 16:00:36)

Offline

#5 2024-11-19 18:54:43

loqs
Member
Registered: 2014-03-06
Posts: 18,078

Re: [Solved] Question about niranjan servers and rogue servers

xerxes_ wrote:

- when arch keyring package has new version, different version of it with some other hashes related to some package maintainers, may be send to updating clients, so later alternative packages with malware may be later send to clients using that server(s),

pacman by default would refuse to install archlinux-keyring unless it is signed. If a bad actor already has a valid signing key what is the advantage to the bad actor of changing archlinux-keyring?

Offline

#6 2024-11-20 10:58:03

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,977

Re: [Solved] Question about niranjan servers and rogue servers

- that server(s) may collect information about connecting and updating clients (for example: IP address, location, list and number of updated packages, etc.) to for example: limit number of updated packages for clients from other countries or block them all (so only clients from same country may update from this server).

In theory possible, but those kind of data can be collected by any server for anything you download from them.

The methods you use to keep such data private as much as possible for all your network traffic should work fine for pacman also .

If you want to know more about the *.niranjan servers , try asking the person who set them up .

You can also look at the archlinux mirror Mailing list which (I think) is where new mirrors apply to get added to our mirrorlist .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

Board footer

Powered by FluxBB