[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: final release - p2p or mirrors

From: Jim Cornette <redhat-jc insight rr com>
To: For testers of Fedora Core development releases <fedora-test-list redhat com>
Subject: Re: final release - p2p or mirrors
Date: Sat, 15 May 2004 17:33:50 -0400

Eugen Leitl wrote:

On Sat, May 15, 2004 at 02:52:42PM -0400, Jim Cornette wrote:

I still feel uncomfortable with p2p transfers. Also, I don't like the

You shouldn't. The integrity is asserted by the transport layer, you shall of course check digital signatures to assert you're downloading the genuine thing (if you're paranoid that way, I personally don't bother to check at this yellow-green threat level).

I was thinking in reference to someone posting about a high fragmentation level on a bittorrent acquired iso. I was also thinking that bittorrent used bits and pieces of files available. I never thought about tcp/ip delivering packets. I assumed that the files on mirrors would be streamed consecutively. (keeps stream of data first to last on file being downloaded.)

Having a pool of computers grabbing some info from one user and some more bits from another source, then another source seems a little too open for foul play.

I'm not so paranoid that I'd need to digitally verify data from the mirrors hosting Fedora. Thanks for pointing out that this could be spoofed also. I felt a false level of security, safer (IMHO), but not super secure.

idea of getting the download in fragments and then reconstructed. I

TCP/IP does that, too. Are you uncomfortable with reading this mail as well?

Thanks for pointing out the packets from tcp/ip. I am not uncomfortable getting mail, etc. (yet)

would rather get transfers from mirrors with a pretty good reputation, instead of a bits and pieces download and reconstructed files.
If you want reputation tracking, use digital signatures to validate authenticity.
Anything else is easily fakeable.

Sounds like a wise practice.

Personally, I usually grab a copy via bittorrent and then give it to our
local mirror.

I personally much prefer to torrent, and leave the download session open for
at least a day, just to be a good bittorrentcitizen.

I only use http/ftp mirrors for those more braindead distributions who're not
into the wonders of P2P yet (hello? Debian? what gives?).

Jim

Follow-Ups:
- Re: final release - p2p or mirrors
  - From: Elliott Wilcoxon
- Re: final release - p2p or mirrors
  - From: Chris Kloiber

References:
- Re: final release
  - From: Michael Cullen
- Re: final release
  - From: Chris Kloiber
- Re: final release
  - From: Eugen Leitl
- Re: final release
  - From: William Hooper
- Re: final release
  - From: Damian Menscher
- Re: final release
  - From: Jim Cornette
- Re: final release
  - From: Eugen Leitl

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]