Installed latest Termux yesterday, in Texas USA. Ran initial update, and in that it changed sources.list to the Russian repo…
I completely removed and reinstalled, checked repo before update, did update again, and it changed.
So a third time when doing the updates, I elected not to replace sources.list and all has remained ok since.
Not a political statement, both our countries have their fair share of neer-do-wells , although considering current global tensions, that comes across at the very least concerning.
I could only see this being normal behavior, if it somehow geolocated me and provided it as a proposed local mirror. Being it was on ATT’s data network in Texas, this seems unlikely.
Does anyone know why this is happening, can confirm, and or look into?
I had not addressed it directly with Devs yet. As for the change repo, I am aware of this, the issue is that I am not choosing to change the repo. When initially installed the list reads packages.termux.dev, after update and upgrade it changes to the .RU. As I work in an industry where we have to be very careful about using open source software to begin with (Which is stupid IMO), this is bound to raise an eyebrow. This is personal, not work, but my spidey senses tingle a bit when I can consistently make this happen. So I wanted to know if others were experiencing similar behavior.
If it bothers you, you could run termux over orbot VPN/proxy. I see that mirror in update “testing” sometimes, but it is not usually the chosen one. Maybe because of your location and internet service you have a fast connection to that mirror.
Looks legit’, if possibly radioactive. Cough.
Welcome to the National Research Nuclear University “MEPhI” mirror!
Its not the connection that bothers me as the potential for abuse on the repo end. The high contrast theme is for vision issues, not matrix homage We all know (hopefully) all open source repos are only as trustworthy as the combined over site of a collection of developers. But as has been proven MANY times if that that is not enough. It is partly why agencies that interact with the government have strict rules rooted in laws on that. As funny as that is considering so much of the world, runs at its core, some Linux/BSD core. From a behavioral stand, the fact it consistently changes is concerning at least. And the fact that from an analytical stand such as latency, route, etc. It makes no sense this would be the preferred repo.
I tested latency and route from the same location, and these repos are not preferred because of any protocol mechanics for sure. Likewise I used a different provider, with identical results.
So that lead me to test some things. I blocked the URL at my firewall, and after updating got one in china! Blocked that one, and got on in India… Each time the sources.list was updated to contain the single new entry. So it would seem that there is a process by which it determines “Use this” and sets it as that hence forth. Why it has a preference for Russia and Asia is still a strange mystery.
I tried it on a completely newly flashed device, same results, so I cannot suspect it is something already on the device producing this preference.
That device is currently in an isolation lab to see if anything unexpected happens as a result. I can live without termux, it is just an real convenience sometimes if I want to funnel all my traffic from phone out of my home internet, and or connect into other networks, run qemu, nmap, etc…
We all know (hopefully) all open source repos are only as trustworthy as the combined over site of a collection of developers. But as has been proven MANY times if that that is not enough. It is partly why agencies that interact with the government have strict rules rooted in laws on that. As funny as that is considering so much of the world, runs at its core, some Linux/BSD core. From a behavioral stand, the fact it consistently changes is concerning at least. And the fact that from an analytical stand such as latency, route, etc. It makes no sense this would be the preferred repo.