[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...



On Mon, Jul 28, 2008 at 5:29 PM, seth vidal <skvidal fedoraproject org> wrote:
> On Mon, 2008-07-28 at 17:28 -0400, Mike McLean wrote:
>> Would it be feasible to audit the mirror content? We have the list of
>> mirrors, we know what the content should be. I think we'd only need to
>> validate the mirrored repomd.xml, right?  Doesn't seem to onerous...
>>
>> yes, yes, not perfect, malicious mirror could change the content, etc,
>> but at least we'd have some measure of detection.
>
> which is the point. A malicious mirror could safely lie to us and not
> lie to their targets.

Depends on who 'us' is. We could run such checks from a number of
different locations.

Anyway, I didn't mean to suggest this as a total solution.

> Additionally, mirrormanager DOES check the mirrors.

Good to know.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]