[CentOS-mirror] mirror manager

Chuck Anderson cra at WPI.EDU
Tue Aug 18 17:09:35 UTC 2009

On Tue, Aug 18, 2009 at 04:44:47PM +0100, Karanbir Singh wrote:
> yes, that yum cgi thing you speak of - is also a massive security 
> hazard. Its the no.1 reason why noone else wants to go down that route. 
> As for the mirror network, if you are a public mirror you should be 
> pulling from the msync targets anyway ( and we try and keep those 
> controlled to ensure there is enough b/w to go around  ).

The newest incarnation of MirrorManager is better, because it uses 
https:// URLs to the master server, which then serves a Metalink URL 
file containing the mirror list along with hashes of the files.  Yum 
can then compare the secure hashes of the repomd.xml files from the 
mirrors with the hash from the genuine master as served over https to 
verify it hasn't been tampered with.  If it doesn't match, yum just 
goes onto the next mirror in the list.

More information about the CentOS-mirror mailing list