LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   AlienBoB Repository address point to http://taper.alienbase.nl/mirrors/people/alien/ (http://www.linuxquestions.org/questions/slackware-14/alienbob-repository-address-point-to-http-taper-alienbase-nl-mirrors-people-alien-4175453338/)

number22 03-08-2013 08:20 PM

AlienBoB Repository address point to http://taper.alienbase.nl/mirrors/people/alien/
 
is this legit address?

stormtracknole 03-08-2013 08:26 PM

Quote:

Originally Posted by number22 (Post 4907739)
is this legit address?

It is as legit as they come. Super fast mirror too!

number22 03-08-2013 08:30 PM

well, we want download software from official channel, just plain security concerns,when web address don't match up with AlienBob's website. Just testing some software, so if problem occurs we know where it comes from. For now, we just don't use these pre-compiled software from unknown source.

allend 03-08-2013 08:34 PM

Yes.
For confirmation you could visit here. http://alien.slackbook.org/blog/
If you have concerns about any packages, then check them with the GPG key. http://taper.alienbase.nl/mirrors/pe...builds/GPG-KEY
After you have installed the key, when you download the package you can also download the associated .asc file and run 'gpg2 --verify <packagename>.asc'. This will confirm that the package was signed by Alien Bob. There will also be message that the key has not been certified with a trusted signature, but no need for alarm. See http://www.linuxquestions.org/questi...ng-4175452476/

Alien Bob 03-09-2013 05:34 AM

Quote:

Originally Posted by number22 (Post 4907743)
well, we want download software from official channel, just plain security concerns,when web address don't match up with AlienBob's website. Just testing some software, so if problem occurs we know where it comes from. For now, we just don't use these pre-compiled software from unknown source.

Who says that http://taper.alienbase.nl/mirrors/ is not one of my web sites? I use more web sites than just http://slackware.com/~alien . Have you looked at that server's homepage at all?
In fact, I decided to relieve the Slackware webserver (which hosts http://slackware.com/~alien) from the many gigabytes of downloads per month caused by my package repository and I have setup HTTP re-direction to http://taper.alienbase.nl/mirrors/ for my package amd multilib repositories. Taper is my high-speed mirror.

Exacly like allend explained to you, it is of no importance where you download these packages. Any morror will have the same packages, and if you are paranoid and do not trust the mirror admins (which is a very valid feeling) you should ALWAYS use a GPG verification check to make certain that the downloaded packages are un-altered originals.

Eric

Habitual 03-09-2013 08:19 AM

Poor Eric, can't catch a break since this post... ;)

I may just do an alien.bournetoraiseshell.com in your honor.

number22 03-09-2013 01:37 PM

Quote:

Originally Posted by Alien Bob (Post 4907901)
Who says that http://taper.alienbase.nl/mirrors/ is not one of my web sites? I use more web sites than just http://slackware.com/~alien . Have you looked at that server's homepage at all?
In fact, I decided to relieve the Slackware webserver (which hosts http://slackware.com/~alien) from the many gigabytes of downloads per month caused by my package repository and I have setup HTTP re-direction to http://taper.alienbase.nl/mirrors/ for my package amd multilib repositories. Taper is my high-speed mirror.

Exacly like allend explained to you, it is of no importance where you download these packages. Any morror will have the same packages, and if you are paranoid and do not trust the mirror admins (which is a very valid feeling) you should ALWAYS use a GPG verification check to make certain that the downloaded packages are un-altered originals.

Eric

Dude, take chill pill, relax, if http://taper.alienbase.nl/mirrors/people/alien/ is your official sits, just change it on slackware.com

My boss click it and mirror to some other site, I got all bs on me. I have to ask the question just to make sure. would you relax, Eric?

Alien Bob 03-09-2013 01:45 PM

Quote:

Originally Posted by number22 (Post 4908121)
Dude, take chill pill, relax, if http://taper.alienbase.nl/mirrors/people/alien/ is your official sits, just change it on slackware.com

My boss click it and mirror to some other site, I got all bs on me. I have to ask the question just to make sure. would you relax, Eric?

What did you not understand about "mirror"? I do not have an "official" server. They are all just as official as the others.
Your boss could have contacted me if he was so upset.

In fact, downloading from a mirror should always be your first option. The mirrors are there to prevent swamping the main site (slackware.com) with downloads. Mirrors have big fat internet pipes, that is why they are mirrors.

Eric

number22 03-09-2013 01:58 PM

Quote:

Originally Posted by Alien Bob (Post 4908125)
What did you not understand about "mirror"? I do not have an "official" server. They are all just as official as the others.
Your boss could have contacted me if he was so upset.

In fact, downloading from a mirror should always be your first option. The mirrors are there to prevent swamping the main site (slackware.com) with downloads. Mirrors have big fat internet pipes, that is why they are mirrors.

Eric

What you don't understand office politics, legal issues as far as my boss understanding of mirror. Hard to explain. People always looking for excuse to spend and "upgrade" things which isn't broke.

Skaperen 03-09-2013 02:48 PM

I think the answer to this is to establish an authority of trust. The OP is probably looking for something that tells him a particular URL is "good" (as opposed to not known to be "good") from one of the sources he already trusts (presumably like "slackware.com"). I guess he didn't consider the link to http://wiki.alienbase.nl/doku.php as sufficient to establish alienbase.nl as trustable.

There's also slackbuilds to be trusted (well, at least I do).

astrogeek 03-09-2013 05:59 PM

Quote:

Originally Posted by Skaperen (Post 4908158)
I think the answer to this is to establish an authority of trust.

Well, that is the GPG key check as already mentioned...

MadMaverick9 03-10-2013 08:57 PM

Quote:

Quote:
Originally Posted by Skaperen View Post
I think the answer to this is to establish an authority of trust.
Well, that is the GPG key check as already mentioned...
Simply putting a GnuPG key into "http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/" does not establish trust.

Trust needs to be established by verifying the signatures on a key. And since very likely Eric's circle of trust is disjoint from my circle of trust, there is no way for me to really establish trust.

Eric - no offense, please. But the last few comments reminded me of something that Bruce Willis said in the movie Surrogates:

Quote:

Honey, I don't know what you are. I mean, for all I know, you could be some big, fat dude sitting in his stim chair with his .... hanging out.
Please correct me if I am wrong, but all that the GPG key really can do for me at the moment, is telling me that files have not been tampered with between now and the next time I download something.

Would be nice if Eric's key were signed by "Slackware Linux Project <security@slackware.com>" (0x40102233) directly. I did not check if Eric's key is trusted by 0x40102233 indirectly.

And the photo in Eric's key really only helps people who know Eric in person to establish trust.

volkerdi 03-10-2013 09:27 PM

Quote:

Originally Posted by MadMaverick9 (Post 4908882)
Would be nice if Eric's key were signed by "Slackware Linux Project <security@slackware.com>" (0x40102233) directly.

Done. Hope you sleep better now. ;)

MadMaverick9 03-10-2013 09:43 PM

Very Cool! Thank you very much, Pat. :hattip:

Well - just trying to help out the OP.

http://pgp.mit.edu:11371/pks/lookup?...CBDA0&op=index

number22 03-11-2013 01:29 PM

Quote:

Originally Posted by MadMaverick9 (Post 4908882)
Would be nice if Eric's key were signed by "Slackware Linux Project <security@slackware.com>" (0x40102233) directly. I did not check if Eric's key is trusted by 0x40102233 indirectly.

And the photo in Eric's key really only helps people who know Eric in person to establish trust.

Bingo. April is starting new year, budget is calculated for some spending on hardware and software, people are looking for excuses for some seriouse spending. I want hardware upgrade to lower power consumptions, others want to spend on software, some bigger name brand. I don't want touch software side, too much headaches. They pressure me to reconsider, slackware.com doesn't look flashy; serious B2B site, blah, blah, bs etc. one thing leads to this threads is our software policy not using mirrors site, all source code must come from official sites, we bought slackware from slackware store, and all patches are getting from ftp.slackware.com.


All times are GMT -5. The time now is 04:41 PM.