Re: YUM security issues...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2008-07-28 at 17:28 -0400, Mike McLean wrote:
> On Mon, Jul 28, 2008 at 1:07 PM, Matt Domsch <Matt_Domsch@xxxxxxxx> wrote:
> > 1. repomd.xml needs to be signed. Either attached or detached sig
> >   (advice sought).  If attached, format would be
> 
> I see a number of good ideas to improve the situation, but I don't
> think I've seen anyone suggest the following.
> 
> Would it be feasible to audit the mirror content? We have the list of
> mirrors, we know what the content should be. I think we'd only need to
> validate the mirrored repomd.xml, right?  Doesn't seem to onerous...
> 
> yes, yes, not perfect, malicious mirror could change the content, etc,
> but at least we'd have some measure of detection.

which is the point. A malicious mirror could safely lie to us and not
lie to their targets.

Additionally, mirrormanager DOES check the mirrors.

-sv


_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux