[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...



On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
> On 25 July 2008, Matt Domsch wrote:
> > 
> > Yes, this is a known challenge with subnet delegation in
> > MirrorManager.  We're trusting package signing (and soon, repodata
> > signing) to prevent rogue mirrors from issuing unsigned data.  In
> > addition, I'm working on adding in a way to prevent stale mirrors
> > (with signed content) from being used.
> > 
> 
> How does one get this subnet delegation though?  Can I request any subnet I
> want, or do we do some sort of verification?

At present there is no verification (I'm not at all sure how one
_could_ verify except by ARIN & co  delegation).  However there are
limits as to how large a block can be requested.  Nothing larger than
a IPv4 /16 can be automatically requested.  Fedora Infrastructure
admins can add larger blocks, and request ARIN & co data when doing so.


> What happens if the client decided its mirror is bad, I presume it will go
> off and find a better one, even with delegation?

Yes, the mirrorlist returned includes quite a few mirrors, in priority order.

-- 
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]