Save bandwidth using repo mirror

[mwt]

As I mentioned on #278, I created mirrors of the deb and rpm repositories in the hopes that we can reduce the bandwidth requirements on packagecloud without giving shiftkey any more work by disrupting his CI workflow. To this end, I have setup a complete mirror. The mirror has the following properties/features:

• IPv4/IPv6 support
• http/https support
• Syncs with packagecloud every 6 hours
• Works with both deb and rpm based distributions
• Is located in New Jersey near NYC, USA
• Preserves shiftkey's GPG signature; so I cannot tamper with the files
• Remains functional (though stale) if packagecloud runs our of bandwidth or goes down
• Highly scalable, static ngnix server

I encourage anyone reasonably close to the node (i.e. US/Europe) to test this mirror as a way of reducing bandwidth on packagecloud. This way, we can hopefully keep the packagecloud repo up all month and eventually reduce shiftkey's hosting costs. The original packagecloud server is probably faster in most locations, but how much does this matter for a repo with just one relatively small package?

Usage

Debian/Ubuntu

The mirror url is https://mirror.mwt.me/ghd/deb/. You can change this in your sources manually, or by running the following modified command from the readme:

$ wget -qO - https://keys.openpgp.org/vks/v1/by-keyid/7650C43BBA3C3A2C | sudo tee /etc/apt/trusted.gpg.d/shiftkey-desktop.asc > /dev/null
$ sudo sh -c 'echo "deb [arch=amd64] https://mirror.mwt.me/ghd/deb any main" > /etc/apt/sources.list.d/packagecloud-shiftkey-desktop.list'
$ sudo apt update

Red Hat/CentOS/Fedora

The mirror url is https://mirror.mwt.me/ghd/rpm/. You can change this in your sources manually, or by running the following modified command from the readme:

$ sudo rpm --import https://keys.openpgp.org/vks/v1/by-keyid/7650C43BBA3C3A2C
$ sudo sh -c 'echo -e "[shiftkey]\nname=GitHub Desktop\nbaseurl=https://mirror.mwt.me/ghd/rpm\nenabled=1\ngpgcheck=0\nrepo_gpgcheck=1\ngpgkey=https://packagecloud.io/shiftkey/desktop/gpgkey" > /etc/yum.repos.d/shiftkey-desktop.repo'

OpenSUSE distribution

The mirror url is https://mirror.mwt.me/ghd/rpm/. You can change this in your sources manually, or by running the following modified command from the readme:

$ sudo rpm --import https://keys.openpgp.org/vks/v1/by-keyid/7650C43BBA3C3A2C
$ sudo sh -c 'echo -e "[shiftkey]\nname=GitHub Desktop\nbaseurl=https://mirror.mwt.me/ghd/rpm\nenabled=1\ngpgcheck=0\nrepo_gpgcheck=1\ngpgkey=https://packagecloud.io/shiftkey/desktop/gpgkey" > /etc/zypp/repos.d/shiftkey-desktop.repo'

Notes

• You can also use the mirror over Cloudflare by replacing mirror.mwt.me with mirror-cf.mwt.me in any of the steps above.
• I have also mirrored the gpg key to https://mirror.mwt.me/ghd/gpgkey though I don't suggest anyone use it, as it defeats the purpose of repo signing.
• I have not thoroughly tested the rpm repo because I do not use or have any experience with rpm-based distros. Please let me know below if it does/doesn't work for you. I use the deb one myself.
• This solution is flexible in the sense that the mirror can be pointed at any other provider that shiftkey may choose to move to in the future.
• Feel free to make mirrors that clone from my mirror. However, my rpm repo workflow is pretty hackish. If you are using an rpm distro, it's probably better for me to clone from you rather than the other way around.
• I'm happy to make this the default repo in the readme instructions to help reduce bandwidth from new users.

[crazyn2]

Sorry, after follow the modified steps, I got those errors in Ubuntu20.04 amd64

Err:10 https://mirror.mwt.me/ghd/deb any InRelease                             
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B7E65990E879472F`

[mwt]

This is true. New users can't get the gpg key when there's no bandwidth. You can fix this by running

wget -qO - https://mirror.mwt.me/ghd/gpgkey | sudo tee /etc/apt/trusted.gpg.d/shiftkey-desktop.asc > /dev/null

This requires you to trust my server (because I could change both the binaries and the key). So, I've avoided this in the instructions.

This issue is easy to fix because this single static file is very easy to mirror. For example, Shiftkey could make a public gist or put it on his website.

Edit: This has since been fixed by using keys.openpgp.org.

[crazyn2]

In fact, I've done this at all but there is still an error existing.

Err:10 https://mirror.mwt.me/ghd/deb any InRelease                             
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B7E65990E879472F`

[mwt]

Hi. The command I sent is different from the first one you ran.

[crazyn2]

Could you please give me the correct command directly?
OS: Ubuntu20.04 LTS amd64

[mwt]

Could you please give me the correct command directly?

That's the first thing I did when you said you had an issue:

You can fix this by running

wget -qO - https://mirror.mwt.me/ghd/gpgkey | sudo tee /etc/apt/trusted.gpg.d/shiftkey-desktop.asc > /dev/null

Just run this one command and apt update.

[crazyn2]

Thanks