official fdroid repo terribly slow
Closed this issue · 1 comments
The updater code uses the main address in the json, its much faster to use mirrors[0] instead.
{
"repo": {
"timestamp": 1649989373000,
"version": 20001,
"maxage": 14,
"name": "F-Droid",
"icon": "fdroid-icon.png",
"address": "https://f-droid.org/repo",
"description": "\nThe official F-Droid Free Software repository. Everything in this\nrepository is always built from the source code.\n",
"mirrors": [
"https://ftp.fau.de/fdroid/repo",
"https://mirror.cyberbits.eu/fdroid/repo",
"https://fdroid.tetaneutral.net/fdroid/repo",
"https://ftp.lysator.liu.se/pub/fdroid/repo",
"https://plug-mirror.rcac.purdue.edu/fdroid/repo"
]
},
Thanks, but:
a) While I do myself use a mirror with the F-Droid client on my phone, it is hardly an issue for a script I run once a week or even less. F-Droid's primary servers run fine most of the time, and that's good enough for me.
b) Not all repos have mirrors (neither microg nor nanolx do), and this naive one-liner change would just make downloads from both of those fail immediately. At the very least you need to have fallback code for when there aren't any mirrors.
c) Choosing any arbitrary mirror from an arbitrarily-ordered, ever-changing list is a bad idea. Most random mirrors have terrible uptime (and probably worse speeds) than what the main F-Droid server would give, for all of its issues. You'd have to write a lot of unnecessary code for falling back to other mirrors and finally to the main server when downloads fail.
d) This isn't great security-wise. While the update script has Trust-On-First-Use signature checking for APKs, that doesn't protect the first time download. All of those mirrors should be, by default, considered untrusted, and can replace anything as they wish, because the script is not (yet) checking the downloads against the signatures and checksums in the manifest.