On Fri, 25 Jul 2008, Matt Domsch wrote: > On Fri, Jul 25, 2008 at 10:43:59AM -0500, Mike McGrath wrote: > > On Fri, 25 Jul 2008, Jesse Keating wrote: > > > > > On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote: > > > > > > > > AFAIK, this service is still in place and working fine. Though I am a > > > > little confused about the question. It sounds like you'd like to direct > > > > all subnet traffic to a specific mirror. But you're also saying you took > > > > your mirror down. Are you worried people in your subnet are being > > > > directed to a down mirror? > > > > > > More like taking over a subnet and directing all clients at a rouge > > > mirror. > > > > <nod> that makes more sense. Domsch? > > Yes, this is a known challenge with subnet delegation in > MirrorManager. We're trusting package signing (and soon, repodata > signing) to prevent rogue mirrors from issuing unsigned data. In > addition, I'm working on adding in a way to prevent stale mirrors > (with signed content) from being used. > Perhaps it might also be a good idea to add a comment to the default yum.conf for gpgcheck explaining what a bad idea it is to set to 0. I could imagine people setting it to 0 not understanding what they're doing. Especially if they're familiar with gpg's encryption bits, but not its signing functionality. -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
