Mirroring the TinyCoreLinux repository

[mat128]

Hey guys,

First off, thanks for your excellent work on TinyCoreLinux, it has been very helpful for us.

I was wondering how we could mirror the repository? I could not find any official docs on that topic, other than the mirror list itself on the wiki.

Thank you,
Mathieu

[gerald_clark]

Mirroring is not encouraged due to bandwidth issues.

[curaga]

rsync doesn't use much, just the first full copy does (the entire tree is over 108gb!). So if you want to mirror things, please do the first copy from a mirror near you instead of tinycorelinux.net, then keep it up to date with rsync from the main mirror. Recursive wget works fine for the first copy.

To save your space, you can avoid copying older versions, etc. Look up wget and rsync man pages on how to do that.

[andyj]

I'd be happy just to mirror the version I'm using, which I hope is less than 108 gigs. Then I could be hitting that instead of ibiblio.net all the time. The other architectures won't do me any good. I didn't know rsync was an option. I wouldn't want to update very often. What would that URL be?

[curaga]

This is what I use to sync everything:

Code: [Select]

rsync -av --delete repo.tinycorelinux.net::tc /path/to/dest


[mat128]

Thanks for your replies, rsync seems to work. Is there a preferred schedule? How often should I sync the repo?

[curaga]

The official mirrors sync once a day, if yours is for internal use, you may do it less often, depends what you need.

[mat128]

Excellent. On the topic of mirrors, is there any plan to offer GPG signatures and/or mirrors over HTTPS to ensure data authenticity? (c.f. https://bugs.launchpad.net/ironic-python-agent/+bug/1581112)

[curaga]

No, I'm afraid not. The reason is that neither could be made use of in the default image really, and so they'd be used by a small minority.

Both GPG and SSL support are really big (in space) and slow (execution speed - remember, we support 486). Increasing the base image size by say 50%, and boot time by 5x, they aren't tradeoffs worth it. Checking signatures only at download time would expose you to anyone who has had physical access to your usb stick, etc, and so isn't really a complete solution.

An option I thought about was writing a small public key signing program, and I created one using the ed25519 elliptic curves. The binary was about 75kb IIRC, which would be acceptable in the base image. However, the speed is still prohibitive for low-end computers, and a home-grown solution would be scoffed at by the general public, even if it was using a verified library for the cryptography.