[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...




On Fri, 25 Jul 2008, Matt Domsch wrote:

> On Fri, Jul 25, 2008 at 10:43:59AM -0500, Mike McGrath wrote:
> > On Fri, 25 Jul 2008, Jesse Keating wrote:
> >
> > > On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
> > > >
> > > > AFAIK, this service is still in place and working fine.  Though I am a
> > > > little confused about the question.  It sounds like you'd like to direct
> > > > all subnet traffic to a specific mirror.  But you're also saying you took
> > > > your mirror down.  Are you worried people in your subnet are being
> > > > directed to a down mirror?
> > >
> > > More like taking over a subnet and directing all clients at a rouge
> > > mirror.
> >
> > <nod> that makes more sense.  Domsch?
>
> Yes, this is a known challenge with subnet delegation in
> MirrorManager.  We're trusting package signing (and soon, repodata
> signing) to prevent rogue mirrors from issuing unsigned data.  In
> addition, I'm working on adding in a way to prevent stale mirrors
> (with signed content) from being used.
>

Perhaps it might also be a good idea to add a comment to the default
yum.conf for gpgcheck explaining what a bad idea it is to set to 0.  I
could imagine people setting it to 0 not understanding what
they're doing.  Especially if they're familiar with gpg's encryption bits,
but not its signing functionality.

	-Mike


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]