[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...

Hash: SHA1

Matt Domsch wrote:
> On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
>> On 25 July 2008, Matt Domsch wrote:
>>> Yes, this is a known challenge with subnet delegation in
>>> MirrorManager.  We're trusting package signing (and soon, repodata
>>> signing) to prevent rogue mirrors from issuing unsigned data.  In
>>> addition, I'm working on adding in a way to prevent stale mirrors
>>> (with signed content) from being used.
>> How does one get this subnet delegation though?  Can I request any subnet I
>> want, or do we do some sort of verification?
> At present there is no verification (I'm not at all sure how one
> _could_ verify except by ARIN & co  delegation).  However there are
> limits as to how large a block can be requested.  Nothing larger than
> a IPv4 /16 can be automatically requested.  Fedora Infrastructure
> admins can add larger blocks, and request ARIN & co data when doing so.
>> What happens if the client decided its mirror is bad, I presume it will go
>> off and find a better one, even with delegation?
> Yes, the mirrorlist returned includes quite a few mirrors, in priority order.

Our testing showed that when our client was in a MirrorManager-defined
CIDR block for a mirror, the returned mirrorlist included only the
single mirror. -- It's dangerous either way, of course, but I'm just
wondering if our testing was faulty, if this has changed since we
tested, or if it might be behaving differently than you expect.

Possibly you tested with a block that was already defined by other
mirrors and so multiple entries were returned in the mirrorist? That's
just a guess, we didn't test with a block that was defined by more than
one mirror (as far as we knew, at least).

- --
Justin Samuel
gpg: 0xDDF1F3EE [66EF 84E2 F184 B140 712B 55A7 2B96 AB8F DDF1 F3EE]
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]