I updated my Arch reflector list today for Germany, and it wants to include a mirror from a domain hugo-betrugo.de. In German, this reads like “Hugo Fraud”. Is that really a legit mirror site?
In /etc/pacman.d/mirrorlist:
## Germany
Server = https://mirror.hugo-betrugo.de/archlinux/$repo/os/$arch
I manually removed it, to be sure…
I had a quick look in a web browser and there’s no obvious red flags.
This site is in the mirrorlist for ages.
Should be OK.
Yeah, I did, too. The folders look normal, but how can we be sure?
Also, the main page https://hugo-betrugo.de just shows no info at all.
It’s an old website and it’s hosted by Hetzner. Unfortunately, there’s not more to find out after the WHOIS stuff went private.
Seems the mirror was added in September 2023.
Legit it may be, but the name alone makes it too suspect to me, so I keep it removed.
Note that you may exclude mirrors with option --exclude in reflector.
See reflector -h for more info.
Thanks, that’s helpful. I tried to enter that into the Optional reflector params field in the welcome app, but I must be making a stupid mistake—Server = https://mirror.hugo-betrugo.de/archlinux/$repo/os/$arch gets included every time.
I tried:
--exclude 'hugo-betrugo\.de'--exclude "hugo-betrugo\.de"--exclude '.*hugo-betrugo\.de.*'--exclude ".*hugo-betrugo\.de.*"--exclude '^.*hugo-betrugo\.de.*$'--exclude "^.*hugo-betrugo\.de.*$"Or am I checking the wrong file here? /etc/pacman.d/mirrorlist
Or should I maybe modify /etc/xdg/reflector/reflector.conf instead? Or /etc/reflector-simple.conf? (But both show different options from what I have in the Welcome app.)
Maybe you don’t need the -- at the beginning?
Just for fun I searched for the name hugo betrugo, and look what came up 
Having a quick glance at the code and the sample .conf files, I think we do need the -- (or -) before options.
--exclude hugo
I needs only a part of the name, preferably no dots.
Guess I got it. Seems you have to use a correct RegEx (like .*hugo-betrugo\.de.* but without any quoting! reflector-simple adds its own set of single quotes:
$ cat /etc/pacman.d/mirrorlist | grep -i hugo
# With: reflector --verbose -c DE --protocol https --sort age --latest 20 --download-timeout 5 --exclude '.*hugo-betrugo\.de.*'
Phew. What a lot of minor oddities one has to consider…
EDIT: And yes, --exclude hugo-betrugo\.de is actually good enough (the \ makes the following . a literal, instead of its normal meaning “any character”).
Thanks for the help @manuel!
It’s not only soundcloud. There are also vids on YT, and there’s an insta account for a band with this name (hence the SoundCloud).
I think OP is overly cautious and this is just a meme name, but I also have my own policies for the mirror servers, so I can understand.
For the packages, I use only universities and hosters like netcologne or xtom:
grep -Ev '^(;|#|//|$)' /etc/pacman.d/mirrorlist:
Server = https://cdnmirror.com/archlinux/$repo/os/$arch
Server = https://ftp.agdsn.de/pub/mirrors/archlinux/$repo/os/$arch
Server = https://ftp.fau.de/archlinux/$repo/os/$arch
Server = https://mirror.informatik.tu-freiberg.de/arch/$repo/os/$arch
Server = https://mirror.netcologne.de/archlinux/$repo/os/$arch
Server = https://packages.oth-regensburg.de/archlinux/$repo/os/$arch
Server = https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch
Server = https://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/$repo/os/$arch
Server = https://mirrors.xtom.de/archlinux/$repo/os/$arch
Yes I saw all that when I was doing a search for that name , and I think you are being right about being overly cautios by the OP. As long it is not on top of the list of mirrors I think not a lot can happen (I saw it near the bottom of my list of mirrors from Germany after reranking the mirrors.
I agree I can be a little paranoid, at times… 
(And actually, I also prefer well-known universities!)
Well you never know what students might do at this well-known Unies do you 
Yeah… remember fondly, we had lots of crazy fun back then, but never were maliciuos. 
Same, same.
“You are young only once – but if you do it the right way, that’s more than enough!”
Would you blindly trust a server which is called do-not-worrie-you-can-trust-me.com?
