All mirrors are http by default

gummybear · August 10, 2019, 7:52pm

In a terminal do ‘sudo reflector --country France --country Germany --age 12 --protocol https --sort rate --save /etc/pacman.d/mirrorlist’ after first boot, before updating. Choose your preferred country(ies).

manuel · August 10, 2019, 8:13pm

Thanks for the useful info.
In addition to this, with package reflector-auto one can make updating the Arch mirrorlist automatic.

More info about the package: https://github.com/endeavouros-team/PKGBUILDS/tree/master/reflector-auto

JR29 · August 10, 2019, 8:18pm

alias mirror=‘sudo reflector --protocol https --latest 50 --number 20 --sort rate --save /etc/pacman.d/mirrorlist’

manuel · August 10, 2019, 8:24pm

alias update=‘mirror && sudo pacman -Syyu’

(just an idea…)

Beardedgeek72 · August 10, 2019, 8:29pm

I would go && yay -Syyu, since I have a few packages from the AUR.

JR29 · August 10, 2019, 8:33pm

alias pksyua=‘yay -Syu --noconfirm’

Beardedgeek72 · August 10, 2019, 8:39pm

In my case, running fish, I did this:

alias mirrors=“sudo reflector --verbose --protocol https --country Germany --country Sweden --latest 20 --sort rate --save /etc/pacman.d/mirrorlist”

funcsave mirrors

alias update=“mirrors && yay -Syyu”

funcsave update

fernandomaroto · August 10, 2019, 11:23pm

I’m lazy
alias u='sudo haveged -w 1024; sudo pacman-key --init; sudo pacman-key --populate; sudo pacman-key --refresh-keys; sudo pkill haveged; sudo cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak; sudo reflector --verbose --age 8 --fastest 128 --latest 64 --number 32 --sort rate --save /etc/pacman.d/mirrorlist; sudo pacman -Syy'

JR29 · August 11, 2019, 12:25am

for the letter “a” what gives

CMarch · August 11, 2019, 2:15pm

I’m confused. The title of this post is “All mirrors are http by default”. Yet all the replies are about aliases or reflector-auto.

@gummybear are you saying that even with “–protocol https” in the reflector command line your mirrorlist only contains http mirrors? Or are you just stating how to get https mirrors?

Maybe my addled brain just needs more coffee this morning

Beardedgeek72 · August 12, 2019, 4:43am

I assume the default Arch mirror list is http. Because manually setting protocol to https works for me.

abarbarian · August 12, 2019, 10:13am

This information may be useful.

Pacman Mirrorlist Generator

Mirrors - Arch Wiki

markboston · August 12, 2019, 5:44pm

Does it really matter if people on the net see your using arch?

sothis6881 · August 12, 2019, 6:53pm

I’m rather surprised that https isn’t the default for Arch.

CMarch · August 12, 2019, 7:38pm

I just looked at a copy of the original mirrorlist that was created when I installed EndeavourOS and it contained only http mirrors; over 200 of them and not a single https. So the default must be http.

Since installation I ran:

$ sudo reflector --country 'United States' --age 12 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

and my mirrorlist now contains 19 https mirrors; no http ones.

abarbarian · August 16, 2019, 12:49pm

Hi CMarch you say,

I just looked at a copy of the original mirrorlist that was created when I installed EndeavourOS and it contained only http mirrors; over 200 of them and not a single https. So the default must be http.

If that is the case then Endeavour must have altered the Arch mirror list. Here is a section of the original mirror list from my Arch install.

Ukraine

#Server = http://archlinux.ip-connect.vn.ua/$repo/os/$arch
#Server = https://archlinux.ip-connect.vn.ua/$repo/os/$arch
#Server = http://mirrors.nix.org.ua/linux/archlinux/$repo/os/$arch
#Server = https://mirrors.nix.org.ua/linux/archlinux/$repo/os/$arch

United Kingdom

Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
Server = https://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch
Server = http://www.mirrorservice.org/sites/ftp.archlinux.org/$repo/os/$arch
Server = https://www.mirrorservice.org/sites/ftp.archlinux.org/$repo/os/$arch
Server = http://arch.serverspace.co.uk/arch/$repo/os/$arch
Server = http://archlinux.mirrors.uk2.net/$repo/os/$arch
Server = http://mirrors.ukfast.co.uk/sites/archlinux.org/$repo/os/$arch
Server = https://mirrors.ukfast.co.uk/sites/archlinux.org/$repo/os/$arch

United States

#Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
#Server = http://mirrors.advancedhosters.com/archlinux/$repo/os/$arch
#Server = http://mirrors.aggregate.org/archlinux/$repo/os/$arch
#Server = http://ca.us.mirror.archlinux-br.org/$repo/os/$arch
#Server = http://il.us.mirror.archlinux-br.org/$repo/os/$arch

As you can see both http and https are included in the list.

fernandomaroto · August 16, 2019, 2:46pm

If the main concern of the post creator was security http vs https, i belieave this not a big problem, since all packages are signed and need to match the keyring that comes from arch.

I won’t say it’s impossible to hack this though…

CMarch · August 16, 2019, 2:47pm

I’m confused (a normal state for me) and the mystery continues. Two days ago I installed Arch/KDE/Plasma on my notebook and don’t remember updating or modifying the mirrorlist. On that notebook /etc/pacman.d/mirrorlist contains aboutr 275 mirrors and not a single https.

As a check, I unarchived the arch iso that I downloaded, unsquashfsed the airootfs.sfs file, and looked at the /etc/pacman.d/mirrorlist contained on the iso. Approximately 275 mirrors and not a single https. According to comments in the file the mirrorlist was generated on 2019-08-01. Conclusion: the iso that I downloaded two days ago (probably from Princeton) contains no https mirrors.

CMarch · August 16, 2019, 3:02pm

@fernandomaroto The OP has never replied to the original post, but I believe you are correct in assuming he was concerned with security of http downloads. By checking signatures and md5/sha1 sums http should be pretty safe.

sothis6881 · August 16, 2019, 5:49pm

Man in the middle attacks?