Consider documenting / allowing packagers to access the password protected tier 0 mirror
Our tier 0 mirror (repos.archlinux.org) can be accessed by a "well known" password which we obviously can't easily share or document. If we want to keep this option for packagers we should find a way to easily allow packagers to add our tier 0 mirror to their pacman.conf for rebuilds / testing with http basic auth:
archweb integration
Archweb could provide a random 32 char string for every user which together with their account name would be the mirror url as:
[core]
Server = https://$username:$token@repos.archlinux.org/core/os/x86_64
In nginx we can use the ngx_http_auth module to redirect an auth request to archweb which verifies if the provided username and token.
This allows us to:
- not share a hardcoded password, making it easier for others to use
- roll out and change passwords dynamically
- disallowing offboarded staffers