after the latest announcement [manjaro-security] [MSA-202106-1] images were built with a per-initialised (and thus common) pacman local signing key
i got a bit concerned about who is hosting the mirrors that i use(no offense to well intentioned contributors).
is there a way i can see who is behind each mirror?
i would assume that reputable institutions with good implementation of security measures are more secure and trustworthy than a random person on the internet…?
Not really.
There is whois for domain registration info.
Don’t expect to get a lot of information from it though. In most cases you’d need to contact the registrar for more detailed/personal information.
I know when registering an Arch mirror you have to leave an e-Mail address and Name of the operator, but for hosting a Manjaro mirror I don’t think it is required.
Probably. Universities for example that host mirrors for several distros (can you be sure that some “creative” students got access to it and messed around ? Not really )
Now, if you do a full reinstall of your OS (with the latest ISO ), you don’t need to give a shit who is operating the mirrors or if you can trust them or not. That’s the whole purpose of the package signing → The signature checks guarantee you that it has not been tampered with.
Personal opinion:
I wouldn’t be too concerned about this. There are more attractive targets out there than some users of a free linux OS. The chance that there are/were some rouge mirrors is rather low imho.
would it be ok,if from now on i only have one mirror i my list?(the manjaro maintained one)
the only downsides would be maybe slow DL and waiting for it to be synchronized,right?
That’s what I was doing for years. Since I’m hosting a mirror (actually two), that was the only one I’ve put into my mirrorlist… (I’ve never had issues and had to run sudo pacman-mirrors -f or so )
Choose one that you “trust”, is synchronizing frequently and where you have good download speed…
edit Actually now that keys got renewed on every system with the update, you don’t even need to trust that mirror…
Thank you moson,
i would have reinstalled Manjro by now,but i have to much tweaks/configurations and software behind my current installation.
for now I chose the 2 mirrors i mentioned.
i was about to say that i will miss the moson mirrors since they always work and up to date,but as I’m writing this i realize that they are probably yours??
Actually from now on (well, when that manjaro-system package wiped the gpg keys; which forced regeneration) you can trust any mirror, no matter what.
What you cannot trust is everything that happened (in terms of new packages) between the installation of the system and that last manjaro-system update.
So if you are confident that the system has not been compromised until that update you’re ok.
)