Allow to fetch from official mirrors when primary is slow/down #35
Comments
jooola
changed the title
|
Is it not possible to add one of the mirrors as a repository in the config directly? Also, we rely exclusively on HTTPS for verification of the index at the moment. JAR signatures and fingerprints aren't implemented, so if a mirror is selected, at the moment we have no way to verify that the mirror hasn't tampered with the index. So I'm reluctant to automatically use mirrors without the user's active approval, as that could lead to security issues. |
Changing the repo url in config to a mirror only makes it fetch the index jar itself from the mirror, but the apks will be downloaded from f-droid.org, since the index file itself is the same ( Maybe just add a user config PS See also the android client issue: Enable user to decide which mirror should be used. Picture: |
|
Ah, I understand now. Adding a list of preferred mirrors per repository makes sense. The client would try them in order with a small timeout. If the list of mirrors is empty, the behavior would be the same as if the repository itself was the only mirror in the list. Does the official Android client set up or enable mirrors by default? Are they in the json index? |
|
The mirrors are in the json index jar, yes. (The "Official mirrors" in the picture above.) |
|
Great - we can make that the default list, which can be overriden in the config file. I can work on this next week, unless someone beats me to it. If you do, just make sure to add proper tests. |
|
@mvdan Did you get anywhere with this? The main f-droid repos are not very reliable and it would be nice to be able to download from one or more of the mirrors. I changed the repos in the config but the apks are still being downloaded from the main f-droid repo. |
|
I didn't end up working on this, no, and I don't have short term plans for it either. PRs are welcome. If other people want to actively work on this project, I'm happy to transfer ownership of the repo. |
|
Maybe it is unnecessary to think about the speed, just use the url in the config file as the repourl, of cource the user know which one is the closest and approves it use. :-) |
|
I did some proof of concept testing out if we could check the JAR signature. Turns out is possible with the help of this library. So my suggestion would be to fetch the index from f-droid.org and safe the certificate fingerprint used to sign the JAR file inside our config. If there is a fingerprint present in the config we verify the index we downloaded was signed using the certificate with this fingerprint. Now we could select any mirror (either by bandwidth testing or random) for further downloading and be sure that the index was not manipulated. |
It happen frequently that fdroid repos are really slow to download. Fdroid have set up few official mirrors and it could be nice to add a features to fetch from one mirror IF the primary is too slow.
https://forum.f-droid.org/t/why-is-fdroid-down-all-the-time/5028/9
https://fdroid.gitlab.io/mirror-monitor/
The text was updated successfully, but these errors were encountered: