Pacman only check's first server for .db updates.

AmericanPizza · 2025-11-08 01:20:36

Hello, I've encountered a very severe issue with pacman. In short, no matter how many time I execute it, across reboots, despite no change in configuration, pacman -Syu will ALWAYS return that everything is up-to-date.

I am 100% sure that my system is out-of-date. I have a VM that is configured similarly to my host where everything is working fine. To give an example, both on the Arch Linux package search and in my VM, curl is at version 8.17.0-1. While on my host, curl is stuck at 8.16.0-1 and pacman won't detect an update. Most of my work is done in virtual machines, I do very little to my host.

Pacman tells me nothing
Journalctl tells me nothing
/etc/pacman.d/mirrorlist exists and is full of possible mirrors (but as I said, I didn't make any changes to my Arch install lately).

Looking at /var/log/pacman.log, the last successful update was October 25th, this included an update to pacman-mirrorlist but not pacman itself.
I've installed software since then but never had anything upgraded beyond that date.

Last edited by AmericanPizza (2025-11-08 01:34:20)

AmericanPizza · 2025-11-08 01:33:28

Update; In heignsight I should have tried this but I switched to the ".pacnew" mirror list and I got updates. So I did some digging and here's what I found;

The first mirror in my mirror list is mirror.theash.xyz/arch/$repo/os/$arch
This mirror is stuck on curl 8.16.0-1

Checking a couple random other mirrors, curl is correctly at 8.17.0-1.

This still exposes a major bug; a misconfigured (or malicious) repo can hold back user installs by not updating their repo. It seems that although I had up-to-date repos, pacman kept pulling the package list from an old repo.

I believe Pacman should incl. mechanisms to detect dead repos. Perhaps signatures for *.db should expire every 24 hours or so?

Last edited by AmericanPizza (2025-11-08 01:35:20)

Allan · 2025-11-08 02:13:27

AmericanPizza wrote:

Perhaps signatures for *.db should expire every 24 hours or so?

There are signatures for *.db?

AmericanPizza · 2025-11-08 02:19:41

Allan wrote:

AmericanPizza wrote:
Perhaps signatures for *.db should expire every 24 hours or so?
There are signatures for *.db?

I assumed as such. I hope so!

mpan · 2025-11-08 02:29:33

This is a standard case of a broken mirror. Not seeing updates is a typical symptom of that.

Only a single mirror is meant to be used, so this is a correct behavior. If the mirror you did chose is in some way wrong, it’s time to change it for a better one. You may of course add multiple `Server=…` lines, but they’re going to be used only if the first mirror fails. Usually this solves noting and only causes more obscure errors.

Package databases are not signed to start with, so there is nothing to expire. Yes, this also means the lack of change is never signed. And yes, this is a security issue. But it’s a marginal one and it’s inherently tamper-evident. Over the years there were discussions about improving the situation. Due to its non-criticality, objective issues with deployment of that scheme, known vulnerabilities in the solution itself reducing the attractiveness, and other priorities, the entire thing is somewhere between stalled and placed on the backburner.

Allan · 2025-11-08 02:40:24

mpan wrote:

But it’s a marginal one and it’s inherently tamper-evident.

It is more interesting to consider whether a mirror that holds back a single exploitable package is easily noticeable.

I have patches that add a timestamp to the repo database and provide a configurable expiration time. I just never finished them because there is no point while Arch databases remain unsigned (and no other distro using pacman has shown interest).

seth · 2025-11-08 09:02:06

On topic, @AmericanPizza
https://archlinux.org/packages/extra/any/reflector/ or see https://bbs.archlinux.org/viewtopic.php?id=304532 for a wild discussion of alternative approaches to keep your mirrorlist mostly fresh.

Nikolai5 · 2025-11-10 16:55:56

I recommend setting up a script that runs on login and checks the modified date /etc/pacman.d/mirrorlist.

Then have it use notify-send or something to let you know its old, say, a month or 2 weeks or something? Use that to prompt you to run reflector or rate-mirrors to generate a new list and pacman -Syyu.

Scimmia · 2025-11-10 17:01:20

Not sure why you bumped this a month later, but why would you redo your mirrorlist based on time instead of just when there's an issue? Makes no sense to me.

Nikolai5 · 2025-11-10 17:09:47

The post timestamps are showing as recent for me, not a month, even the first post.

The reason is to avoid issues and ensure good speed. Running it periodically ensures that in my experience. Some redo their mirrors every single time. I do not.

If there's an issue I'll run it ad hoc as you say, but running it periodically has benefited me.

Scimmia · 2025-11-10 17:12:05

Yeah, you're right, it's only been a couple of days, don't know what I was seeing.

seth · 2025-11-10 19:51:18

run reflector or rate-mirrors to generate a new list and pacman -Syyu

yy *can* be necessary when switching away from a bad mirror, but not when just leaving behind a stale one and it's not advisable to run this unconditionally (because you might just as much run into a bad mirror and in doubt just cause undue traffic)

Arch Linux

#1 2025-11-08 01:20:36

Pacman only check's first server for .db updates.

#2 2025-11-08 01:33:28

Re: Pacman only check's first server for .db updates.

#3 2025-11-08 02:13:27

Re: Pacman only check's first server for .db updates.

#4 2025-11-08 02:19:41

Re: Pacman only check's first server for .db updates.

#5 2025-11-08 02:29:33

Re: Pacman only check's first server for .db updates.

#6 2025-11-08 02:40:24

Re: Pacman only check's first server for .db updates.

#7 2025-11-08 09:02:06

Re: Pacman only check's first server for .db updates.

#8 2025-11-10 16:55:56

Re: Pacman only check's first server for .db updates.

#9 2025-11-10 17:01:20

Re: Pacman only check's first server for .db updates.

#10 2025-11-10 17:09:47

Re: Pacman only check's first server for .db updates.

#11 2025-11-10 17:12:05

Re: Pacman only check's first server for .db updates.

#12 2025-11-10 19:51:18

Re: Pacman only check's first server for .db updates.

Board footer