[CentOS-mirror] mirror manager
cra at WPI.EDU
Tue Aug 18 17:09:35 UTC 2009
On Tue, Aug 18, 2009 at 04:44:47PM +0100, Karanbir Singh wrote:
> yes, that yum cgi thing you speak of - is also a massive security
> hazard. Its the no.1 reason why noone else wants to go down that route.
> As for the mirror network, if you are a public mirror you should be
> pulling from the msync targets anyway ( and we try and keep those
> controlled to ensure there is enough b/w to go around ).
The newest incarnation of MirrorManager is better, because it uses
https:// URLs to the master server, which then serves a Metalink URL
file containing the mirror list along with hashes of the files. Yum
can then compare the secure hashes of the repomd.xml files from the
mirrors with the hash from the genuine master as served over https to
verify it hasn't been tampered with. If it doesn't match, yum just
goes onto the next mirror in the list.
More information about the CentOS-mirror