What is this security hazard you speak of? I don't really see a problem with it at first glance.
And yes, i'm running a private mirror, and no, i do not pull from *.centos.org Centos, I pull from linux.mirrors.es.net
On 8/18/2009 11:44 AM, Karanbir Singh wrote:
On 08/18/2009 04:39 PM, Nick Olsen wrote:
Its great when your looking for a mirror to pull from. It lists every mirror that your allowed to pull from, What they have, if its up to date. And where THEY pull it from. Not to mention they have some CGI script or something that ties into yum so you can redirect your local subnets to your local server insted of having to mod the repo file on every box.
On 8/18/2009 11:36 AM, Karanbir Singh wrote:
On 08/18/2009 04:07 PM, Nick Olsen wrote:
Not sure how many of you guys have used fedora's mirror manager, but centos should do something like this. Its really a nice little app, that helps in mirroring.
howso ?
yes, that yum cgi thing you speak of - is also a massive security hazard. Its the no.1 reason why noone else wants to go down that route. As for the mirror network, if you are a public mirror you should be pulling from the msync targets anyway ( and we try and keep those controlled to ensure there is enough b/w to go around ).
We do need better monitoring within that, and is something we should get done soon.
If you are not a public mirror, you should *not* be pulling from anything .centos.org and just going to your trusted local upstream. There is potent to better define this and to merge in the various sources of info that exist on .centos.org!