YUM security issues...
Matt Domsch
Matt_Domsch at dell.com
Fri Jul 25 17:44:03 UTC 2008
On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
> On 25 July 2008, Matt Domsch wrote:
> >
> > Yes, this is a known challenge with subnet delegation in
> > MirrorManager. We're trusting package signing (and soon, repodata
> > signing) to prevent rogue mirrors from issuing unsigned data. In
> > addition, I'm working on adding in a way to prevent stale mirrors
> > (with signed content) from being used.
> >
>
> How does one get this subnet delegation though? Can I request any subnet I
> want, or do we do some sort of verification?
At present there is no verification (I'm not at all sure how one
_could_ verify except by ARIN & co delegation). However there are
limits as to how large a block can be requested. Nothing larger than
a IPv4 /16 can be automatically requested. Fedora Infrastructure
admins can add larger blocks, and request ARIN & co data when doing so.
> What happens if the client decided its mirror is bad, I presume it will go
> off and find a better one, even with delegation?
Yes, the mirrorlist returned includes quite a few mirrors, in priority order.
--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux
More information about the infrastructure
mailing list