If download from a given mirror fails try from another one and finally download from suse

[Zbigniew2023]

Please fix a few security issues with mirror selection code:

1. If download from a given mirror fails try from another one and finally download from Suse.

2. If I click i key to ignore failed download for some packages download the rest and install the rest instead of aborting whole update/upgrade with text: Warning: You have chosen to ignore a problem with download or installation of a package which might lead to broken dependencies of other packages. It is recommended to run 'zypper verify' after the operation has finished.
   Installation has completed with error.

3. Never download from an excluded mirror domains list

4. exclude *.ru and *.by domains from:
   -Mirrors in other countries, but same continent: Europe as they do not belong to Europe continent

• Mirrors in other parts of the world: because they do not belong to this world.
  When I saw that zypper ref; zypper dup tries to download from *.ru and *.by hostile domains I have immediately blocked all their IPs on iptables and router firewall to avoid downloading malware. zypper still keep trying to download from mirror.tspu.ru - I press r to retry from another mirror but it keep choosing this one despite being rejected. Adding .mirrorlist to url shows that there is another mirror at repo.opensuse.id but it is never selected. An example from 17.11.2023 05:19: http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/libfreebl3-3.94-3.16.x86_64.rpm.mirrorlist
  shows mirrors:
  Mirrors
  List of best mirrors for IP address in (PL)
  Mirrors which handle this country: 0
  None
  Mirrors in other countries, but same continent: 1
  mirror.tspu.ru (RU)

Mirrors in other parts of the world: 1
repo.opensuse.id (ID)

Here is stubborn zypper ref; zypper dup:
Retrieving: libfreebl3-3.94-3.16.x86_64 (mozilla) (591/734), 391.0 KiB
Retrieving: libfreebl3-3.94-3.16.x86_64.rpm ............................................................................................................................................................................................................................[error]
Download (curl) error for 'http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/libfreebl3-3.94-3.16.x86_64.rpm':
Error code: Connection failed
Error message: Failed to connect to mirror.tspu.ru port 80 after 0 ms: Couldn't connect to server

Abort, retry, ignore? [a/r/i/...? shows all options] (a): r
Retrieving: libfreebl3-3.94-3.16.x86_64.rpm ............................................................................................................................................................................................................................[error]
Download (curl) error for 'http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/libfreebl3-3.94-3.16.x86_64.rpm':
Error code: Connection failed
Error message: Failed to connect to mirror.tspu.ru port 80 after 0 ms: Couldn't connect to server

Abort, retry, ignore? [a/r/i/...? shows all options] (a): r
Retrieving: libfreebl3-3.94-3.16.x86_64.rpm ............................................................................................................................................................................................................................[error]
Download (curl) error for 'http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/libfreebl3-3.94-3.16.x86_64.rpm':
Error code: Connection failed
Error message: Failed to connect to mirror.tspu.ru port 80 after 0 ms: Couldn't connect to server

Abort, retry, ignore? [a/r/i/...? shows all options] (a): r
Retrieving: libfreebl3-3.94-3.16.x86_64.rpm ............................................................................................................................................................................................................................[error]
Download (curl) error for 'http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/libfreebl3-3.94-3.16.x86_64.rpm':
Error code: Connection failed
Error message: Failed to connect to mirror.tspu.ru port 80 after 0 ms: Couldn't connect to server

Abort, retry, ignore? [a/r/i/...? shows all options] (a): r
Retrieving: libfreebl3-3.94-3.16.x86_64.rpm ............................................................................................................................................................................................................................[error]
Download (curl) error for 'http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/libfreebl3-3.94-3.16.x86_64.rpm':
Error code: Connection failed
Error message: Failed to connect to mirror.tspu.ru port 80 after 0 ms: Couldn't connect to server

Abort, retry, ignore? [a/r/i/...? shows all options] (a):

The same problem is for:
http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/mozilla-nss-certs-3.94-3.16.x86_64.rpm
http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/mozilla-nss-3.94-3.16.x86_64.rpm
http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/libsoftokn3-3.94-3.16.x86_64.rpm
http://download.opensuse.org/repositories/mozilla/openSUSE_Tumbleweed/x86_64/MozillaThunderbird-115.4.3-1.1.x86_64.rpm
stubborn zypper dup does not try to download from repo.opensuse.id instead of hostile mirror.tspu.ru
There is something wrong that Mozilla packages initially are available from repo.opensuse.id and hostile mirror.tspu.ru only.

greetings,
Zbigniew

[andrii-suse]

1, 2, 3 - this logic is for package managers (zypper or dnf) - you can learn that those provide possibility for retry of different mirrors (maybe it needs additional configuration). If any case from what I see it is not an issue with download redirector, e.g. you can complain to https://github.com/openSUSE/libzypp

4 - openSUSE infrastructure is mature enough to block corrupted / dangerous rpms if those where injected by an attacker or by mistake. But if you want to avoid certain countries - you can add parameter ?AVOID_COUNTIRY=ru,by in repo files, e.g. see #429 (comment)

stubborn zypper dup does not try to download from repo.opensuse.id

At the moment repo.opensuse.id indeed has file libfreebl3-3.94-3.16.x86_64.rpm , but the latest file is libfreebl3-3.94-3.17.x86_64.rpm already. Similar situation could be when you tried - either the mirror didn't get the file yet or it wasn't discovered by scanners. With all amount of changes it usually takes several hours when the files are discovered, so you cannot expect perfect redirect for folders that were changed recently. Better use reliable mirror directly in such cases

[andrii-suse]

Ah I didn't notice that you mention that repo.opensuse.id had the file. So please direct the complain to zypper team, in edge case you could fetch the file manually from the good mirror and put it into corresponding directory under /var/cache/zypp/packages/ and zypper would pick it up instead of downloading.

[andrii-suse]

While zypper team is working on improving download experience - there is another tool to help with zypper downloads, it is mentioned at the end in this news article https://news.opensuse.org/2024/03/14/qol-improvements-for-the-download-redirector/

I will close the ticket, because it is not much in MirrorCache to improve such experience.