[CentOS-mirror] mirror manager

Tue Aug 18 16:37:05 UTC 2009
R P Herrold <herrold at centos.org>

On Tue, 18 Aug 2009, Chuck Anderson wrote:

> The newest incarnation of MirrorManager is better,

I see at RawHide ... nothing

[herrold at centos-5 ~]$ date ; srcfind MirrorManager
Tue Aug 18 12:36:25 EDT 2009
/home/herrold/.tmp/srcfind.cache.txt
MirrorManager     nil
[herrold at centos-5 ~]$

URL please

> because it uses https:// URLs to the master server, which 
> then serves a Metalink URL file containing the mirror list 
> along with hashes of the files.

and what revocation list checking exists and is implemented? 
Are the hashes signed? If so, when and with what key security 
model? traceable to what CA root set? -- so far all I see is 
a potential for transit security of a file against a MitM

> Yum can then compare the secure hashes

'can' is not 'does' -- version/release please? Is this in our 
yum, or if not what adds it, so I can examine the model's 
assumptions

ehhh?  'secure hashes' how?  What is being compared here?

> of the repomd.xml files from the mirrors with the hash from 
> the genuine master as served over https to verify it hasn't 
> been tampered with.  If it doesn't match, yum just goes onto 
> the next mirror in the list.

-- Russ herrold