YUM security issues...
Josh Bressers
bressers at redhat.com
Fri Jul 25 17:52:26 UTC 2008
On 25 July 2008, Matt Domsch wrote:
> On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
> > On 25 July 2008, Matt Domsch wrote:
> > >
> > > Yes, this is a known challenge with subnet delegation in
> > > MirrorManager. We're trusting package signing (and soon, repodata
> > > signing) to prevent rogue mirrors from issuing unsigned data. In
> > > addition, I'm working on adding in a way to prevent stale mirrors
> > > (with signed content) from being used.
> > >
> >
> > How does one get this subnet delegation though? Can I request any subnet I
> > want, or do we do some sort of verification?
>
> At present there is no verification (I'm not at all sure how one
> _could_ verify except by ARIN & co delegation). However there are
> limits as to how large a block can be requested. Nothing larger than
> a IPv4 /16 can be automatically requested. Fedora Infrastructure
> admins can add larger blocks, and request ARIN & co data when doing so.
>
That's a lot of IPs though. Can I request multiple /16s, or only one?
How many mirrors are doing this? Does the mirror have to be part of the
/16 to request it?
Thanks for the patience here. I'm trying to understand the risk we're
dealing with.
Thanks.
--
JB
More information about the infrastructure
mailing list