fdroidcl icon indicating copy to clipboard operation
fdroidcl copied to clipboard

Published 20 hours ago verified publisher icon mvdan

Allow to fetch from official mirrors when primary is slow/down

Open jooola opened this issue 5 years ago • 9 comments

It happen frequently that fdroid repos are really slow to download. Fdroid have set up few official mirrors and it could be nice to add a features to fetch from one mirror IF the primary is too slow.

https://forum.f-droid.org/t/why-is-fdroid-down-all-the-time/5028/9

https://fdroid.gitlab.io/mirror-monitor/

jooola avatar Mar 16 '19 17:03 jooola

Is it not possible to add one of the mirrors as a repository in the config directly?

Also, we rely exclusively on HTTPS for verification of the index at the moment. JAR signatures and fingerprints aren't implemented, so if a mirror is selected, at the moment we have no way to verify that the mirror hasn't tampered with the index.

So I'm reluctant to automatically use mirrors without the user's active approval, as that could lead to security issues.

mvdan avatar Mar 16 '19 17:03 mvdan

Is it not possible to add one of the mirrors as a repository in the config directly?

Changing the repo url in config to a mirror only makes it fetch the index jar itself from the mirror, but the apks will be downloaded from f-droid.org, since the index file itself is the same (apk.RepoURL = index.Repo.Address in index.go).

Maybe just add a user config mirrors (= a list of preferred mirrors) which when present will override the repo URL. What do you think?

PS See also the android client issue: Enable user to decide which mirror should be used. Picture: mirror mockup

ropery avatar Mar 23 '19 12:03 ropery

Ah, I understand now. Adding a list of preferred mirrors per repository makes sense. The client would try them in order with a small timeout. If the list of mirrors is empty, the behavior would be the same as if the repository itself was the only mirror in the list.

Does the official Android client set up or enable mirrors by default? Are they in the json index?

mvdan avatar Mar 24 '19 09:03 mvdan

The mirrors are in the json index jar, yes. (The "Official mirrors" in the picture above.)

ropery avatar Mar 24 '19 10:03 ropery

Great - we can make that the default list, which can be overriden in the config file. I can work on this next week, unless someone beats me to it. If you do, just make sure to add proper tests.

mvdan avatar Mar 24 '19 11:03 mvdan

@mvdan Did you get anywhere with this? The main f-droid repos are not very reliable and it would be nice to be able to download from one or more of the mirrors. I changed the repos in the config but the apks are still being downloaded from the main f-droid repo.

simonvanderveldt avatar Dec 24 '20 18:12 simonvanderveldt

I didn't end up working on this, no, and I don't have short term plans for it either. PRs are welcome. If other people want to actively work on this project, I'm happy to transfer ownership of the repo.

mvdan avatar Dec 27 '20 17:12 mvdan

Maybe it is unnecessary to think about the speed, just use the url in the config file as the repourl, of cource the user know which one is the closest and approves it use. :-)

QiangF avatar Apr 02 '21 09:04 QiangF

I did some proof of concept testing out if we could check the JAR signature. Turns out is possible with the help of this library. So my suggestion would be to fetch the index from f-droid.org and safe the certificate fingerprint used to sign the JAR file inside our config. If there is a fingerprint present in the config we verify the index we downloaded was signed using the certificate with this fingerprint. Now we could select any mirror (either by bandwidth testing or random) for further downloading and be sure that the index was not manipulated.

jugendhacker avatar Sep 13 '23 18:09 jugendhacker