[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...



On 25 July 2008, Matt Domsch wrote:
> On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
> > On 25 July 2008, Matt Domsch wrote:
> > > 
> > > Yes, this is a known challenge with subnet delegation in
> > > MirrorManager.  We're trusting package signing (and soon, repodata
> > > signing) to prevent rogue mirrors from issuing unsigned data.  In
> > > addition, I'm working on adding in a way to prevent stale mirrors
> > > (with signed content) from being used.
> > > 
> > 
> > How does one get this subnet delegation though?  Can I request any subnet I
> > want, or do we do some sort of verification?
> 
> At present there is no verification (I'm not at all sure how one
> _could_ verify except by ARIN & co  delegation).  However there are
> limits as to how large a block can be requested.  Nothing larger than
> a IPv4 /16 can be automatically requested.  Fedora Infrastructure
> admins can add larger blocks, and request ARIN & co data when doing so.
> 

That's a lot of IPs though.  Can I request multiple /16s, or only one?

How many mirrors are doing this?  Does the mirror have to be part of the
/16 to request it?

Thanks for the patience here.  I'm trying to understand the risk we're
dealing with.

Thanks.

-- 
    JB


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]