Public Repo.
A free, synchronized HTTP/S mirror for the open-source archives you actually run on your machines.
Mission.
Public Repo exists to keep the free-software supply chain fast, private, and accessible to everyone — no signup, no tracking, no paywall. We mirror the projects people actually depend on, sync them continuously, and serve them over modern transports so that updating a Linux system never has to mean handing your download history to a third party.
The mirror is operated as a public good: hardware, bandwidth, and time are donated, the configuration is boring on purpose, and the privacy guarantees are structural rather than promised. Everything on this page — including the upstream sources, the sync method, and the operational stack — is documented so anyone can reproduce, audit, or take over the setup if they need to.
Privacy.
We do not log individual download requests. No access data is stored, sold, or shared with third parties.
- No access logging — download requests are never written to disk.
- Encrypted storage — all data at rest is protected with ZFS native encryption.
- No shell history — operator sessions leave no command history on the server.
- Headless server — eliminating physical access vectors.
- HTTPS available — the mirror is reachable over both HTTPS and plain HTTP. HTTPS is recommended where supported.
- No analytics or trackers — this site is static HTML and sets no cookies.
Quick start.
Pick your distribution. Replace the matching Server or deb line in your package manager. Refresh.
Arch Linuxpacman
Add to the top of /etc/pacman.d/mirrorlist
Server = https://public-repo.com/archlinux/$repo/os/$arch
Then refresh
sudo pacman -Syyu
Arch Linux ARMpacman
Add to the top of /etc/pacman.d/mirrorlist
Server = https://public-repo.com/archlinuxarm/$arch/$repo
Arch Linux 32pacman
Add to the top of /etc/pacman.d/mirrorlist
Server = https://public-repo.com/archlinux32/$arch/$repo
Ubuntuapt
Edit /etc/apt/sources.list (replace noble with your release codename)
deb https://public-repo.com/ubuntu/ noble main restricted universe multiverse deb https://public-repo.com/ubuntu/ noble-updates main restricted universe multiverse deb https://public-repo.com/ubuntu/ noble-security main restricted universe multiverse
ARM and other non-x86 use ubuntu-ports/
deb https://public-repo.com/ubuntu-ports/ noble main restricted universe multiverse
ISOs browse ubuntu-cd/ · EOL releases at ubuntu-archive/
Debianapt
Edit /etc/apt/sources.list (replace bookworm with your release codename)
deb https://public-repo.com/debian/ bookworm main contrib non-free non-free-firmware deb https://public-repo.com/debian/ bookworm-updates main contrib non-free non-free-firmware deb https://public-repo.com/debian-security/ bookworm-security main contrib non-free non-free-firmware
ISOs browse debian-cd/ · historical releases at debian-archive/
Linux Mintapt
Edit /etc/apt/sources.list.d/official-package-repositories.list (replace virginia with your release codename)
deb https://public-repo.com/linuxmint-packages/ virginia main upstream import backport
ISOs browse linuxmint-cd/
Gentooportage
For distfile downloads edit /etc/portage/make.conf
GENTOO_MIRRORS="https://public-repo.com/gentoo"
To sync the Portage tree via HTTP snapshot edit /etc/portage/repos.conf/gentoo.conf
[gentoo]
location = /var/db/repos/gentoo
sync-type = webrsync
auto-sync = yes
Then run emerge-webrsync for the initial sync; subsequent syncs via emerge --sync.
EndeavourOSpacman
Add to the top of /etc/pacman.d/endeavouros-mirrorlist
Server = https://public-repo.com/endeavouros/$repo/$arch
Raspberry Pi (Raspbian)apt
Edit /etc/apt/sources.list (replace bookworm with your release codename)
deb https://public-repo.com/raspbian/ bookworm main contrib non-free rpi
Kali Linuxapt
Edit /etc/apt/sources.list
deb https://public-repo.com/kali/ kali-rolling main contrib non-free non-free-firmware
ISO & weekly live images browse kali-images/
Tailslive
Tails is a live OS — there is no package manager to repoint.
Download the ISO or USB image from tails/stable/ and verify it against the upstream signature before booting. The full tree (stable, alpha, project) is browseable at tails/.
CachyOSpacman
Add to the top of /etc/pacman.d/cachyos-mirrorlist
Server = https://public-repo.com/cachyos/$repo/$arch
Chaotic-AURpacman
After Chaotic-AUR setup add this mirror to /etc/pacman.d/chaotic-mirrorlist
Server = https://public-repo.com/aur.chaotic.cx/$repo/$arch
F-Droidfdroid
In the F-Droid app Settings → Repositories → Add:
https://public-repo.com/fdroid-repo/
For the full archive (older versions) add:
https://public-repo.com/fdroid-archive/
LineageOSOTA
OTA zip images browse lineageos/ — navigate to your device codename and select the build you want to flash.
Alpine Linuxapk
Replace the contents of /etc/apk/repositories (replace v3.20 with your release)
https://public-repo.com/alpine/v3.20/main https://public-repo.com/alpine/v3.20/community
Then run apk update.
Chimera Linuxapk
Edit /etc/apk/repositories.d/00-repo-main.list (and any other enabled repo lists)
https://public-repo.com/chimera/current/main
Then run apk update.
FreeBSDpkg
Create /usr/local/etc/pkg/repos/public-repo.conf
FreeBSD: { enabled: no }
public-repo: {
url: "https://public-repo.com/freebsd/ports/${ABI}/latest",
enabled: yes
}
Release ISOs and source snapshots browse freebsd/.
Mirrored projects.
Everything is synchronized across all architectures and archives. One mirror, eighteen projects.
How to use.
The Quick Start above is interactive. Each command is also reproduced below so it survives copy-paste and Reader Mode.
You can browse each project directly — directory listings are enabled. Same commands as the picker; one per distro.
Sync schedule.
A continuous loop. ~100 seconds of sleep between full passes — freshness is bounded by one pass plus that.
Sync is performed with rsync using -avhW, atomic --delay-updates --delete-delay, --safe-links, and an exclude list for upstream HTML, robots.txt and favicons so this page is never overwritten.
Upstream rsync sources
| Project | Upstream |
|---|---|
| Debian | rsync://ftp.de.debian.org/debian/ |
| Debian CD | rsync://cdimage.debian.org/debian-cd/ |
| Debian Security | rsync://ftp.de.debian.org/debian-security/ |
| Debian archive | rsync://rsync.archive.debian.org/debian-archive/ |
| Ubuntu | rsync://rsync.archive.ubuntu.com/ubuntu/ |
| Ubuntu CD | rsync://releases.ubuntu.com/releases/ |
| Ubuntu Ports | rsync://ports.ubuntu.com/ubuntu-ports/ |
| Ubuntu archive | rsync://old-releases.ubuntu.com/old-releases/ |
| Linux Mint CD | pub.linuxmint.com::pub |
| Linux Mint packages | rsync-packages.linuxmint.com::packages |
| Raspbian | rsync://archive.raspbian.org/archive/raspbian/ |
| Kali Linux | rsync://mirrors.dotsrc.org/kali/ |
| Kali images | rsync://mirror.netcologne.de/kali-images/ |
| Tails | rsync://mirrors.dotsrc.org/tails/ |
| Arch Linux | rsync://mirrors.dotsrc.org/archlinux/ |
| Arch Linux 32 | rsync://mirror.archlinux32.org/archlinux32/ |
| Arch Linux ARM | rsync://mirrors.dotsrc.org/archlinuxarm/ |
| Chaotic-AUR | rsync://mirror.accum.se/mirror/aur.chaotic.cx/ |
| CachyOS | rsync://cachyos.doridian.net/cachyos/ |
| EndeavourOS | alpix.eu.rsync.endeavouros.com::endeavouros/ |
| Gentoo Portage | rsync://rsync.gentoo.org/gentoo-portage/ |
| Gentoo distfiles | rsync://rsync.gentoo.org/gentoo/ |
| Alpine Linux | rsync://rsync.alpinelinux.org/alpine/ |
| Chimera Linux | rsync://repo.chimera-linux.org/chimera/ |
| FreeBSD | rsync://ftp.no.freebsd.org/FreeBSD/ |
| F-Droid repo | mirror.f-droid.org::fdroid/repo/ |
| F-Droid archive | mirror.f-droid.org::fdroid/archive/ |
| LineageOS | rsync://mirror.accum.se/mirror/lineageos/ |
How fresh is it?
Most projects publish their own freshness file. For example: archlinux/lastsync (Unix timestamp) and archlinux/lastupdate, debian/project/trace/, ubuntu/project/trace/.
Verifying downloads.
This is a mirror — bytes only. Trust does not come from us; it comes from each project's own signing infrastructure.
Arch & derivatives
pacman verifies package signatures by default. Keep the keyring current:
# refresh keyring
sudo pacman -Sy archlinux-keyring
sudo pacman-key --refresh-keys
Debian family
apt verifies Release.gpg / InRelease against keys in debian-archive-keyring / ubuntu-keyring. Never use --allow-unauthenticated to work around a verification failure — it almost certainly means the mirror is mid-sync.
ISO images
Each project publishes SHA256SUMS and a detached signature next to the ISOs. Verify both:
gpg --verify SHA256SUMS.gpg SHA256SUMS sha256sum -c SHA256SUMS --ignore-missing
F-Droid
The F-Droid app pins each repository's index signing key on first add. All future updates are verified against that key automatically.
What you get.
Privacy guarantees
- Access loggingdisabled
- Data at restZFS encrypted
- Shell historynone kept
- Cookies / analyticsnever
- Remote consolenot exposed
Transport features
- ProtocolsHTTP + HTTPS
- VersionsH/2 · H/3 (QUIC)
- StacksIPv4 + IPv6
- Directory indexenabled
- HTTP methodsGET only
- Hardeningnosniff · DENY
Access policy
- Sign-upnone
- API keynone
- Rate-tier upsellnever
- Cost$0
- Open toanyone
Infrastructure.
| Operating system | FreeBSD |
| Web server | nginx · HTTP/2 + HTTP/3 (QUIC) |
| Sync tool | rsync, looping in tmux, 100 s rest between passes |
| Filesystem | ZFS · native encryption, snapshots |
| Method allow-list | GET only · POST/PUT/DELETE denied at web tier |
| Hardening headers | X-Content-Type-Options: nosniff · X-Frame-Options: DENY |
| Operator session | no shell history retained |
Troubleshooting.
"File has unexpected size" or hash mismatch on apt / pacman
Almost always a sync caught mid-flight. Wait a couple of minutes and re-run apt update / pacman -Syy. If it persists, switch to a different mirror temporarily and report it — there may be a stuck rsync process on our side.
404 on a package that exists upstream
The upstream just published it; this mirror has not finished pulling that pass yet. Try again after the next sync cycle, or fall back to the project's own server.
GPG or keyring errors
Refresh your keyring package (archlinux-keyring, debian-archive-keyring, ubuntu-keyring, etc.). Mirrors don't sign anything; signing keys come from the project itself.
Slow downloads
Check whether your client is using HTTP/2 or HTTP/3 — both are enabled here and usually beat HTTP/1.1 for the many-small-file workloads typical of package managers. If a single connection is slow, geographic distance or your ISP's transit are the most likely causes.
HTTP works but HTTPS fails
Check your system clock. TLS validates certificate validity dates; if your clock is off by months, validation fails. Pair a working NTP source — e.g. public-utc.com — and try again. If name resolution itself is unreliable, point your system at public-rdns.com for DNSSEC-validating recursion.
"Server certificate verification failed" from apt
Your ca-certificates package is too old to chain to the issuing root. Update it (apt update && apt install --reinstall ca-certificates); on systems too stale to upgrade, install the root CA bundle manually.
FAQ.
Is this really free?
Yes. There is no charge, no sign-up, no API key. Donations via Bitcoin are appreciated but not required — see Contact.
Can I add this to a public mirrorlist?
For the projects where this mirror is officially listed (Arch Tier 2, others Tier 3), the project's own pool already includes it. Please don't hardcode public-repo.com in shipping consumer products without contacting us first — vendor-specific pools scale better.
Which protocols do you support?
Both HTTP and HTTPS are served on every endpoint. HTTPS is recommended — it prevents on-path tampering with package metadata (even though packages themselves are signed), and enables HTTP/2 and HTTP/3, which dramatically speed up the many-small-file pattern of apt update / pacman -Sy.
Do you mirror sources, installer ISOs and live media?
Yes — for the projects where the upstream rsync source includes them. See ubuntu-cd/, debian-cd/, linuxmint-cd/.
Do you log my IP?
No. Download requests are not written to disk.
Can I request another distribution?
Email and ask. Constraints are disk space and upstream bandwidth — small / medium projects with a public rsync endpoint are easy to add.
Do you offer rsync access?
Not publicly. The mirror exists to serve end users via HTTPS. If you operate another mirror and need rsync, contact us.
What's the SLA?
Best-effort. The service is operated as a public good, not a paid product. If high availability is critical, configure several mirrors and let your package manager pick a healthy one.
Acceptable use.
- Use a sane number of parallel connections. Package managers' defaults are fine.
- Don't scrape the entire tree just to make a private mirror — set up rsync against the upstreams instead, exactly as we do.
- Don't hardcode
public-repo.comin consumer-facing products without contacting us first. - Abusive sources may be rate-limited or blocked without notice.
Managed services.
Beyond the public mirror, we offer managed private caches and mirrors for organizations that need their own controlled copy of one or more upstream archives — air-gapped labs, regulated environments, CI fleets, ISPs, universities, and anyone who wants the same operational model we run here, on their own infrastructure or hosted by us.
Typical engagements include:
- Dedicated rsync/HTTPS mirrors of selected distributions, kept in sync on your schedule.
- Internal package caches for CI/CD and developer fleets, with bandwidth and freshness SLAs.
- Air-gapped / offline mirror bundles, delivered on a regular cadence.
- Hardened mirror appliances built on FreeBSD + ZFS + nginx, matching the stack described in Infrastructure.
- Bare-metal management — full lifecycle operation of customer-owned or colocated hardware: provisioning, OS hardening, monitoring, patching, capacity planning, and on-call response.
- Migration from existing mirror setups (apt-cacher-ng, Nexus, Artifactory, plain rsync) to a leaner, lower-overhead design.
For pricing and scoping, see Contact.
Sponsors.
Public Repo is operated as a public good and runs on volunteer time, donated bandwidth, and out-of-pocket hardware. Sponsorships keep it that way — no ads, no tracking, no paywalled tiers.
What sponsors get
- Logo and link on this page, in the section below, for the duration of the sponsorship.
- No influence over editorial or operational decisions — we don't accept sponsorships that come with conditions on what we mirror, who we serve, or what we log. (We log nothing. That doesn't change.)
If you need operational support, SLAs, or a dedicated mirror, that's a separate offering — see Managed services.
Any contribution helps — there are no fixed amounts and no tiers. Sponsorships can be invoiced (EUR, SEPA / SWIFT) or paid in BTC. To set one up, see Contact.
Current sponsors
No sponsors yet — this section will list them as they come on board. Reach out if you'd like to be the first.
Legal.
Trademarks
All distribution names, logos, and project marks referenced on this site — including but not limited to Arch Linux, Debian, Ubuntu, Kali Linux, Tails, LineageOS, Linux Mint, Gentoo, EndeavourOS, Raspberry Pi / Raspbian, CachyOS, Chaotic-AUR, Alpine Linux, Chimera Linux, FreeBSD, and F-Droid — are the property of their respective owners. Public Repo is an independent mirror operator and is not affiliated with, endorsed by, or sponsored by any of these projects unless explicitly stated.
Other names
The mirror also responds to the legacy hostname cdnmirror.com; it serves the same content from the same infrastructure as public-repo.com.
Content
Public Repo redistributes unmodified copies of files published by upstream projects. All redistributed content remains subject to the licenses and terms set by those upstream projects. We add nothing, remove nothing, and re-sign nothing — verification keys come from the projects themselves (see Verifying downloads).
Warranty disclaimer
This service is provided "as is" and "as available", without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, or uninterrupted availability. Use of this mirror is at your own risk.
Limitation of liability
To the maximum extent permitted by applicable law, the operators of Public Repo shall not be liable for any direct, indirect, incidental, consequential, or special damages arising from the use of, or inability to use, this service — including but not limited to data loss, downtime, or content that is out of date relative to upstream.
Abuse and takedowns
To report abusive use of this service or to submit a good-faith takedown request concerning specific mirrored content, get in touch via Contact with the URL(s) and the basis for the request. We will forward upstream-licensing concerns to the relevant upstream project, since we do not modify or curate their archives.
Privacy
We do not log individual download requests, set cookies, or run analytics. See Privacy for details.
Other projects.
Sibling services in the public-* family. All free, all unbranded, all run on the same principles.
Contact.
For questions, abuse reports, mirror requests, or operational issues —
| root@public-common.com | |
| Discord | Public Consortium |
| BTC | bc1qxfcfkvgyjs6pq6cdmv6syx5s6pc9dn3wsuewjq |