sys-cacher misses important acng.conf improvements from upstream : Fedora still can't update with sys-cacher deployed

[tlaurion]

Commitment

I confirm that I have read the following resources:

• How to ask questions The Smart Way
• Writing the perfect question
• Question checklist
• Could you please make my preference the default?

Current problem (if any)

upstream: https://github.com/unman/shaker/commits/main/cacher/acng.conf downstream: https://github.com/unman/shaker/blob/main/cacher/acng.conf

Comparison of files:

diff -u <(curl --silent https://raw.githubusercontent.com/ben-grande/qusal/main/salt/sys-cacher/files/server/conf/acng.conf) <(curl --silent https://raw.githubusercontent.com/unman/shaker/main/cacher/acng.conf

--- /dev/fd/63  2024-04-19 16:41:32.935677832 -0400
+++ /dev/fd/62  2024-04-19 16:41:32.936677832 -0400
@@ -1,8 +1,3 @@
-# SPDX-FileCopyrightText: 2022 - 2024 unman <unman@thirdeyesecurity.org>
-# SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
 #
 # IMPORTANT NOTE:
 #
@@ -16,20 +11,14 @@
 # software package downloads. It's supposed to be in a directory specified by
 # the -c option of apt-cacher-ng, see apt-cacher-ng(8) for details.
 # RULES:
-# - letter case in variable names does not matter
-# - names and values are separated by colon or equals sign
-# - for boolean variables, zero means false, non-zero means true
-# - "default value" means built-in (!) defaults, i.e. something which the
-#   program uses if the option is not set here or in other config files.
-#   That value might be explicitly mentioned in the description. Where it is
-#   not, there is no reason to assume any of the examples to be the default
-#   value! In doubt, use acngtool to query the value of the particular variable.
+# Letter case in variable names does not matter, names and values should be
+# separated with colons. For boolean variables, zero number is considered false,
+# non-zero considered true. If a default value is not explicitly mentioned in
+# the description, the commented value assignments mostly represent the default
+# values of the particular variables.

 # Storage directory for downloaded data and related maintenance activity.
 #
-# Note: When the value for CacheDir is changed, change the file
-# /lib/systemd/system/apt-cacher-ng.service too
-#
 CacheDir: /var/cache/apt-cacher-ng

 # Log file directory, can be set empty to disable logging
@@ -52,9 +41,7 @@
 # local interface. DNS resolution is performed using getaddrinfo(3) for all
 # available protocols (IPv4, IPv6, ...). Using a protocol specific format will
 # create binding(s) only on protocol specific socket(s), e.g. 0.0.0.0 will
-# listen only to IPv4. The endpoint can also be specified as host:port (or
-# [ipv6-address]:port) which allows binding on non-standard ports (Port
-# directive is ignored in this case).
+# listen only to IPv4.
 #
 # Default: listens on all interfaces and protocols
 #
@@ -72,32 +59,18 @@
 # In this example, some backends files might be generated during package
 # installation using information collected on the system.
 # Examples:
-#Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives
-Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
-Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
+#Remap-debrep: https://deb.debian.org http://deb.debian.org  file:deb_mirrors.gz /debian ; file:backends_debian # Debian Archives
+#Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
+Remap-alxrep: file:archlx_mirrors /archlinux 
+Remap-debrep: https://deb.debian.org http://deb.debian.org  file:deb_mirrors.gz /debian 
+Remap-fedora: file:fedora_mirrors # Fedora Linux
+Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
 Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
-Remap-debrep: https://deb.debian.org http://deb.debian.org  file:deb_mirrors.gz /debian
+#Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
 Remap-epel:   file:epel_mirrors # Fedora EPEL
-Remap-fedora: file:fedora_mirrors # Fedora Linux
-Remap-fedora: file:fedora_mirrors # Fedora Linux
-Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
-Remap-klxrep: file:kali_mirrors /kali ; file:backends_kali # Kali Linux Archives
-Remap-secdeb: security.debian.org security.debian.org/debian-security deb.debian.org/debian-security /debian-security cdn-fastly.deb.debian.org/debian-security ; deb.debian.org/debian-security security.debian.org cdn-fastly.deb.debian.org/debian-security
-Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
 Remap-slrep:  file:sl_mirrors # Scientific Linux
-Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
-# Qusal external repositories
-Remap-dockerrep: https://download.docker.com http://download.docker.com
-Remap-googlerep: https://dl.google.com http://dl.google.com
-Remap-hashicorprep: https://apt.releases.hashicorp.com http://apt.releases.hashicorp.com
-Remap-kicksecuredebrep: https://deb.kicksecure.com http://deb.kicksecure.com
-Remap-launchpadrep: https://ppa.launchpad.net http://ppa.launchpad.net
-Remap-opentofurep: https://packages.opentofu.org http://packages.opentofu.org
-Remap-qubesdebrep: https://deb.qubes-os.org http://deb.qubes-os.org
-Remap-qubesyumrep: https://yum.qubes-os.org http://yum.qubes-os.org
-Remap-signalrep: https://updates.signal.org http://updates.signal.org
-Remap-syncthingrep: https://apt.syncthing.net http://apt.syncthing.net
-Remap-whonixdebrep: https://deb.whonix.org http://deb.whonix.org
+Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
+Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security

 # Virtual page accessible in a web browser to see statistics and status
 # information, i.e. under http://localhost:3142/acng-report.html
@@ -110,17 +83,17 @@
 ReportPage: acng-report.html

 # Socket file for accessing through local UNIX socket instead of TCP/IP. Can be
-# used with inetd (via bridge tool in.acng from apt-cacher-ng package), is also
-# used internally for administrative purposes.
+# used with inetd (via bridge tool in.acng from apt-cacher-ng package).
 #
-# Default: /run/apt-cacher-ng/socket
+# Default: not set, UNIX socket bridge is disabled.
 #
-# SocketPath: /var/run/apt-cacher-ng/socket
+# SocketPath:/var/run/apt-cacher-ng/socket

 # If set to 1, makes log files be written to disk on every new line. Default
 # is 0, buffers are flushed after the client disconnects. Technically,
 # it's a convenience alias for the Debug option, see below for details.
 #
+# UnbufferLogs: 0
 UnbufferLogs: 1

 # Enables extended client information in log entries. When set to 0, only
@@ -155,18 +128,6 @@
 #
 ExThreshold: 4

-# If set to true, the removal (i.e. response status 404) of remote
-# volatile/index files is considered a hint to consider the local cached
-# versions irrelevant and also expire them just like package files. This adds
-# some risk of removing too much cache contents in cases where a middlebox
-# reports bogus 404 codes.
-#
-# If false (0), a less sloppy algorithm is used to invalidate certain keyfiles
-# first, which might subsequently expire the cache contents but much later or
-# maybe never unless the administrator intervenes.
-#
-FollowIndexFileRemoval: 1
-
 # If the expiration is run daily, it sometimes does not make much sense to do
 # it because the expected changes (i.e. removal of expired files) don't justify
 # the extra processing time or additional downloads for expiration operation
@@ -231,32 +192,21 @@
 # is refused when this value is reached (below zero = unlimited).
 # MaxConThreads: -1
 #
-# Timeout for a forced disconnect in cases where a client connection is about
-# to be closed but remote refuses to confirm the disconnect request. Setting
-# this to a lower value mitigates the effects of resource starvation in case of
-# a DOS attack but increases the risk of failing to flush the remaining portion
-# of data.
-# DisconnectTimeout: 15
-
-# By default, if a remote suddenly reconnects, ACNG tries at least two times to
-# redownload from the same or different location (if known).
-# DlMaxRetries: 2
-
 # Pigeonholing files (like static vs. volatile contents) is done by (extended)
 # regular expressions.
 #
 # The following patterns are available for the purposes detailed, where
 # the latter takes precedence over the former:
-# - <PFilePattern> for static data that doesn't change silently on the server.
-# - <VFilePattern> for volatile data that may change like every hour. Files
+# - «PFilePattern» for static data that doesn't change silently on the server.
+# - «VFilePattern» for volatile data that may change like every hour. Files
 #   that match both PFilePattern and VfilePattern will be treated as volatile.
 # - Static data with file names that match VFilePattern may be overriden being
 #   treated as volatile by making it match the special static data pattern,
-#   <SPfilePattern>.
-# - <SVfilePattern> or the "special volatile data" pattern is for the
+#   «SPfilePattern».
+# - «SVfilePattern» or the "special volatile data" pattern is for the
 #   convenience of specifying any exceptions to matches with SPfilePattern,
 #   for cases where data must still be treated as volatile.
-# - <WfilePattern> specifies a "whitelist pattern" for the regular expiration
+# - «WfilePattern» specifies a "whitelist pattern" for the regular expiration
 #   job, telling it to keep the files even if they are not referenced by
 #   others, like crypto signatures with which clients begin their downloads.
 #
@@ -269,8 +219,9 @@
 #
 # To see examples of the expected syntax, run: apt-cacher-ng -p debug=1
 #
-PfilePatternEx: .*yaml.gz$|.*fedora.*arch=x86_64$|.*f[0-9]+&arch=x86_64
-VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*pkg.tar.zst.sig
+PfilePatternEx: .*yaml.gz$|.*fedora.*arch=x86_64$|.*f37&arch=x86_64|.*f38&arch=x86_64|.*f39&arch=x86_64
+# VfilePatternEx:
+VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*pkg.tar.zst.sig|.*archlinux.*sha256sums.txt|.*archlinux/iso.*tar.gz.sig
 # SPfilePatternEx:
 # SVfilePatternEx:
 # WfilePatternEx:
@@ -326,13 +277,7 @@

 # Network timeout for outgoing connections, in seconds.
 #
-# NetworkTimeout: 40
-
-# Fast fallback timeout, in seconds. This is the time to wait before
-# alternative target addresses for a client connection are tried, which can be
-# usefull for quick fallback to IPv4 in case of whacky IPv6 configuration.
-#
-# FastTimeout = 4
+# NetworkTimeout: 60

 # Sometimes it makes sense to not store the data in cache and just return the
 # package data to client while it comes in. The following DontCache* parameters
@@ -358,7 +303,9 @@
 # details.
 #
 # Example:
-DontCache: .*fedora.*updates.*updateinfo.xml.zck .*fedora.*updates.*repomd.xml
+# DontCache: .*.local.university.int
+DontCache: .*fedora.*updates.*updateinfo.xml.zck  .*fedora.*updates.*repomd.xml
+#DontCache: .*fedora.*updates.*updateinfo.xml.zck

 # Default permission set of freshly created files and directories, as octal
 # numbers (see chmod(1) for details).
@@ -443,6 +390,7 @@
 # This restriction can be disabled by specifying a list of allowed ports or 0
 # for any port.
 #
+# AllowUserPorts: 80 443
 AllowUserPorts: 80 443

 # Normally the HTTP redirection responses are forwarded to the original caller
@@ -460,15 +408,12 @@

 # There some broken HTTP servers and proxy servers in the wild which don't
 # support the If-Range header correctly and return incorrect data when the
-# contents of a (volatile) file changed. This also applies to incomplete
-# resumed downloads.  Setting VfileUseRangeOps to 0 disables Range-based
-# requests (using purely If-Modified-Since and requesting the complete file
-# instead, if changed). Setting it to a negative value removes even this check
-# and means fetching the whole file from the beginning.
+# contents of a (volatile) file changed. Setting VfileUseRangeOps to zero
+# disables Range-based requests while retrieving volatile files, using
+# If-Modified-Since and requesting the complete file instead. Setting it to
+# a negative value removes even If-Modified-Since headers.
 #
 # VfileUseRangeOps: 1
-#
-# Syncthing server: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053833
 VfileUseRangeOps: 0

 # Allow data pass-through mode for certain hosts when requested by the client
@@ -481,17 +426,20 @@
 #
 # Default: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
 # PassThroughPattern: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
+#PassThroughPattern: ^codecs\.fedoraproject\.org:443$|mirrors.rpmfusion.org:443
 PassThroughPattern: ^codecs\.fedoraproject\.org:443$

-# Interval an overaged local cache item (i.e. active file descriptor) can be
-# considered broken so that a new forced download can be started. Such
-# situation can happen when a very slow clients keeps a hot cache item active
-# for extended amounts of time so that even the remote freshness checks
-# intervals might become overrun.
-#
-# Default time is based on the value of FreshIndexMaxAge with a safety factor.
+# It's possible that an evil client requests a volatile file but does not
+# retrieve the response and keeps the connection effectively stuck over
+# many hours, blocking the particular file for other download attempts (which
+# leads to not reporting file changes on server side to other users). The work
+# around is the use of alternative file descriptors inside of apt-cacher-ng,
+# however this might cost some extra download traffic due to worse cache usage.
+# The ResponseFreezeDetectTime value specifies when a file descriptor in the
+# mentioned state is to be considered defect and will require special handling.
+# Default time is 500 seconds.
 #
-# ResponseFreezeDetectTime: 60
+# ResponseFreezeDetectTime: 500

 # Keep outgoing connections alive and reuse them for later downloads from
 # the same server as long as possible.
@@ -598,10 +546,3 @@
 # Set to zero to disable this feature completely. Default: one megabyte
 #
 # ReserveSpace: 1048576
-
-# PermitCacheControl will allow users to specify a few hints for processing
-# of a request, for example bypassing the local cache (see
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control for
-# no-cache, no-store).
-#
-# PermitCacheControl: no-cache, no-store

Proposed solution

Keep track of upstream changes, and also do PR there so that the outcome (sys-cacher) works on QubesOS properly.

• Fedora still problematic
• mirror list need updating
• advancements in regexes needs to be shared back upsteam
• changes of cache behavior upstream needs to follow downstream

Upstream attempted to move this forward:

• https://github.com/unman/shaker/commits/main/cacher/acng.conf Downstream resolved regex to be wider and if updates worked (never got it working but temporarily):
• https://github.com/ben-grande/qusal/commits/main/salt/sys-cacher/files/server/conf/acng.conf

Discussions on sys-cacher are happening on QOS forum https://forum.qubes-os.org/t/apt-cacher-ng-and-fedora-cannot-prepare-internal-mirrorlist-status-code-403/22852 and elsewhere.

The value to a user, and who that user might be

Default template by default (next next next) on Q4.2.1 is still Fedora, and Fedora doensn't work out of the box.

[tlaurion]

Note that I have not tested upstream. I chose qusal personally, since qubes-builder was there and I needed that. Plus so many other improvements over shaker for my use cases.

But for things to evolve in the right direction, PR should be opened both ways to improve the solution for all.

[ben-grande]

The comments diff are due to my acng.conf version have been updated to Debian 12 acng.conf. Except the remove of unicode, which I did manually.

A cleaner diff can be obtained by removing comments and empty lines.

[user@dev ~/src/authored/qusal/salt/sys-cacher(main)]
% grep -vE "^(\s*(#|$))" files/server/conf/acng.conf >/tmp/q-acng.conf
[user@dev ~/src/authored/qusal/salt/sys-cacher(main)]
% grep -vE "^(\s*(#|$))" ~/src/pub/shaker/cacher/acng.conf >/tmp/s-acng.conf
[user@dev ~/src/authored/qusal/salt/sys-cacher(main)]
% diff /tmp/q-acng.conf /tmp/s-acng.conf

5,6c5,8
< Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
< Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
---
> Remap-alxrep: file:archlx_mirrors /archlinux
> Remap-debrep: https://deb.debian.org http://deb.debian.org  file:deb_mirrors.gz /debian
> Remap-fedora: file:fedora_mirrors # Fedora Linux
> Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
8d9
< Remap-debrep: https://deb.debian.org http://deb.debian.org  file:deb_mirrors.gz /debian
10,15d10
< Remap-fedora: file:fedora_mirrors # Fedora Linux
< Remap-fedora: file:fedora_mirrors # Fedora Linux
< Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
< Remap-klxrep: file:kali_mirrors /kali ; file:backends_kali # Kali Linux Archives
< Remap-secdeb: security.debian.org security.debian.org/debian-security deb.debian.org/debian-security /debian-security cdn-fastly.deb.debian.org/debian-security ; deb.debian.org/debian-security security.debian.org cdn-fastly.deb.debian.org/debian-security
< Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
17,28c12,13
< Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
< Remap-dockerrep: https://download.docker.com http://download.docker.com
< Remap-googlerep: https://dl.google.com http://dl.google.com
< Remap-hashicorprep: https://apt.releases.hashicorp.com http://apt.releases.hashicorp.com
< Remap-kicksecuredebrep: https://deb.kicksecure.com http://deb.kicksecure.com
< Remap-launchpadrep: https://ppa.launchpad.net http://ppa.launchpad.net
< Remap-opentofurep: https://packages.opentofu.org http://packages.opentofu.org
< Remap-qubesdebrep: https://deb.qubes-os.org http://deb.qubes-os.org
< Remap-qubesyumrep: https://yum.qubes-os.org http://yum.qubes-os.org
< Remap-signalrep: https://updates.signal.org http://updates.signal.org
< Remap-syncthingrep: https://apt.syncthing.net http://apt.syncthing.net
< Remap-whonixdebrep: https://deb.whonix.org http://deb.whonix.org
---
> Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
> Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security
32,35c17,19
< FollowIndexFileRemoval: 1
< PfilePatternEx: .*yaml.gz$|.*fedora.*arch=x86_64$|.*f[0-9]+&arch=x86_64
< VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*pkg.tar.zst.sig
< DontCache: .*fedora.*updates.*updateinfo.xml.zck .*fedora.*updates.*repomd.xml
---
> PfilePatternEx: .*yaml.gz$|.*fedora.*arch=x86_64$|.*f37&arch=x86_64|.*f38&arch=x86_64|.*f39&arch=x86_64
> VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*pkg.tar.zst.sig|.*archlinux.*sha256sums.txt|.*archlinux/iso.*tar.gz.sig
> DontCache: .*fedora.*updates.*updateinfo.xml.zck  .*fedora.*updates.*repomd.xml

If you compare the mirrors themselves, there are some differences.

[user@dev ~/src/authored/qusal/salt/sys-cacher/files/server(main)]
% diff mirrors/fedora_mirrors ~/src/pub/shaker/cacher/fedora_mirrors

1,8d0
< # SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
< #
< # SPDX-License-Identifier: AGPL-3.0-or-later
< #
< # Information gathered from https://admin.fedoraproject.org/mirrormanager/
< # Link from /etc/yum.repos.d/fedora.repo:
< #   https://mirrors.fedoraproject.org/metalink?repo=fedora-source-f$releasever&arch=$basearch
<
15d6
< http://dl.fedoraproject.org
17a9
> http://download-ib01.fedoraproject.org/pub/fedora/linux/
18a11
> http://fedora-archive.ip-connect.info/fedora/linux/
19a13
> http://fedora-mirror02.rbc.ru/pub/fedora/linux/
22a17
> http://fedora.ip-connect.vn.ua/linux/
28d22
< http://fedora.mirror.garr.it
30c24
< http://fedora.mirror.liteserver.nl
---
> http://fedora.mirror.liteserver.nl/
36d29
< http://fedora.mirrorservice.org/fedora/linux/
37a31
> http://forksystems.mm.fcix.net/fedora/linux/
40c34,36
< http://ftp-nyc.osuosl.org
---
> http://ftp-chi.osuosl.org/pub/fedora/linux
> http://ftp-chi.osuosl.org/pub/fedora/linux/
> http://ftp-stud.hs-esslingen.de/pub/Mirrors/archive.fedoraproject.org/fedora/linux/
56c52
< http://ftp.linux.org.tr/fedora/updates
---
> http://ftp.linux.org.tr
61c57
< http://ftp.otenet.gr/linux/
---
> http://ftp.otenet.gr/linux/fedora/linux/
91a88
> http://mirror.dst.ca/fedora-linux/fedora/linux/
95a93
> http://mirror.fcix.net/fedora/linux/
97a96
> http://mirror.ihost.md/fedora/
101c100
< http://mirror.it4i.cz/fedora/linux/
---
> http://mirror.it4i.cz
106a106,108
> http://mirror.linux-ia64.org/fedora/fedora/linux/
> http://mirror.linux-ia64.org/fedora/linux/
> http://mirror.math.princeton.edu/pub/fedora/linux/
110a113
> http://mirror.netzwerge.de/fedora/linux/
122a126,127
> http://mirror.serverion.com/fedora/linux
> http://mirror.serverion.com/fedora/linux
123a129
> http://mirror.siena.edu/fedora/linux/
127a134
> http://mirror.stjschools.org/fedora/linux/
133a141
> http://mirror.usi.edu/pub/fedora/linux/
140a149
> http://mirror.xenyth.net/fedora/linux/
145c154,155
< http://mirrors.dotsrc.org/fedora-enchilada/linux/
---
> http://mirrors.dotsrc.org/fedora/linux
> http://mirrors.dotsrc.org/fedora/linux
147a158,159
> http://mirrors.fedoraproject.org/fedora/linux
> http://mirrors.fedoraproject.org/fedora/linux
155a168,169
> http://mirrors.rit.edu/fedora/fedora/linux
> http://mirrors.rit.edu/fedora/fedora/linux/
159c173,175
< http://mirrors.xtom.de
---
> http://mirrors.xtom.de/fedora/
> http://mirrors.xtom.ee/fedora/linux
> http://mirrors.xtom.ee/fedora/linux
160a177,180
> http://nnenix.mm.fcix.net/fedora/linux
> http://nnenix.mm.fcix.net/fedora/linux
> http://nocix.mm.fcix.net/fedora/linux/
> http://opencolo.mm.fcix.net/fedora/linux/
162d181
< http://packages.oit.ncsu.edu
165a185
> http://southfront.mm.fcix.net/fedora/linux/
166a187,189
> http://uvermont.mm.fcix.net/fedora/linux
> http://uvermont.mm.fcix.net/fedora/linux
> http://veronanetworks.mm.fcix.net/fedora/linux/
167a191
> http://volico.mm.fcix.net/fedora/linux
170a195
> http://ziply.mm.fcix.net/fedora/linux/

---

In any way, even updating the mirror list is no guarantee of solving the issues. Fedora mirrors are not always in sync and this is the cause of problems. Sometimes they work, sometimes doesn't.

I will see what I can do.

[ben-grande]

The zchunk errors are difficult to reproduce, I tested with Shaker's fedora_mirrors and Qusal's fedora_mirrors and both failed, I tested setting zchunk=False on dnf.conf but that works randomly. I will update the fedora mirrors because it seems a good idea, but it does not guarantee that Fedora works well with apt-cacher-ng.