[Solved] Question about niranjan servers and rogue servers

xerxes_ · 2024-11-18 21:33:10

What are these *.arch.niranjan.co servers from different countries from mirrors status page? They create some network cluster or something like that?

Last edited by xerxes_ (2024-11-20 15:17:38)

xerxes_ · 2024-11-19 09:29:18

Is it possible for someone to put some rogue server(s) on server list site https://archlinux.org/mirrors/status/, especially on "Successfully Syncing Mirrors" list?

mithrial · 2024-11-19 09:40:27

It looks like a global fleet of servers especially for different countries. What do you mean by "rogue servers"?

xerxes_ · 2024-11-19 15:56:20

mithrial wrote:

What do you mean by "rogue servers"?

I mean by that that some server(s) may do/try some suspicious/nasty actions/attacks to do, for example:
- when arch keyring package has new version, different version of it with some other hashes related to some package maintainers, may be send to updating clients, so later alternative packages with malware may be later send to clients using that server(s),
- that server(s) may collect information about connecting and updating clients (for example: IP address, location, list and number of updated packages, etc.) to for example: limit number of updated packages for clients from other countries or block them all (so only clients from same country may update from this server).

That are just examples that came to my mind, but someone can come up with something else.

Does someone checks servers for unusual/evil behavior witch normal/good server doesn't do? Did in the past someone seen some unusual/suspicious/evil update server behavior? What are requirements to set up an update server and connect it to arch servers infrastructure?

Last edited by xerxes_ (2024-11-19 16:00:36)

loqs · 2024-11-19 18:54:43

xerxes_ wrote:

- when arch keyring package has new version, different version of it with some other hashes related to some package maintainers, may be send to updating clients, so later alternative packages with malware may be later send to clients using that server(s),

pacman by default would refuse to install archlinux-keyring unless it is signed. If a bad actor already has a valid signing key what is the advantage to the bad actor of changing archlinux-keyring?

Lone_Wolf · 2024-11-20 10:58:03

- that server(s) may collect information about connecting and updating clients (for example: IP address, location, list and number of updated packages, etc.) to for example: limit number of updated packages for clients from other countries or block them all (so only clients from same country may update from this server).

In theory possible, but those kind of data can be collected by any server for anything you download from them.

The methods you use to keep such data private as much as possible for all your network traffic should work fine for pacman also .

If you want to know more about the *.niranjan servers , try asking the person who set them up .

You can also look at the archlinux mirror Mailing list which (I think) is where new mirrors apply to get added to our mirrorlist .

niranjan · 2024-12-09 20:00:14

Hello,

I maintain these servers and these are separate servers located physically on different locations across the globe. I follow https://wiki.archlinux.org/title/Develo … NewMirrors for setting up mirrors and no, I do not modify these packages. And pacman checks whatever you install for integrity and whether they're tampered with.

xerxes_ · 2024-12-11 10:33:39

@niranjan

Does your servers collect any information about clients connecting and downloading packages from them?
Do they limit number of packages a single client can download or do they limit bandwidth (or number of downloaded GB)?

___________
Maybe I'm too suspicious, trying to find problems where they aren't, but maybe someone sometimes have to, to think about things that no one thought...

Last edited by xerxes_ (2024-12-11 10:46:24)

Nikolai5 · 2024-12-11 17:14:53

@niranjan Several of your mirrors appear in my mirror list generated using rate-mirrors, so good effort on them being in sync and fast.

niranjan · 2024-12-12 03:56:12

@xerxes_

Hello, there is no explicit logging, but only the default logs generated by the web server (nginx) are stored automatically. These logs are useful in case there are any issues with the mirror so cannot turn them off. There are no limits on downloads at all! You can download as many packages as you want! I have setup multiple mirrors for the same locations to maintain high availability and reliability. If you feel you're getting slower downloads that may be due to the number of people using these mirrors! If you have any more questions, shoot them! I'll be happy to answer all of them.

@Nikolai5

Thanks! I personally use my own mirrors so have to keep them up and syncing!

Arch Linux

#1 2024-11-18 21:33:10

[Solved] Question about niranjan servers and rogue servers

#2 2024-11-19 09:29:18

Re: [Solved] Question about niranjan servers and rogue servers

#3 2024-11-19 09:40:27

Re: [Solved] Question about niranjan servers and rogue servers

#4 2024-11-19 15:56:20

Re: [Solved] Question about niranjan servers and rogue servers

#5 2024-11-19 18:54:43

Re: [Solved] Question about niranjan servers and rogue servers

#6 2024-11-20 10:58:03

Re: [Solved] Question about niranjan servers and rogue servers

#7 2024-12-09 20:00:14

Re: [Solved] Question about niranjan servers and rogue servers

#8 2024-12-11 10:33:39

Re: [Solved] Question about niranjan servers and rogue servers

#9 2024-12-11 17:14:53

Re: [Solved] Question about niranjan servers and rogue servers

#10 2024-12-12 03:56:12

Re: [Solved] Question about niranjan servers and rogue servers

Board footer