[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...



On Mon, Jul 28, 2008 at 1:07 PM, Matt Domsch <Matt_Domsch dell com> wrote:
> 1. repomd.xml needs to be signed. Either attached or detached sig
>   (advice sought).  If attached, format would be

I see a number of good ideas to improve the situation, but I don't
think I've seen anyone suggest the following.

Would it be feasible to audit the mirror content? We have the list of
mirrors, we know what the content should be. I think we'd only need to
validate the mirrored repomd.xml, right?  Doesn't seem to onerous...

yes, yes, not perfect, malicious mirror could change the content, etc,
but at least we'd have some measure of detection.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]