[CentOS-mirror] mirror manager

Tue Aug 18 16:09:35 UTC 2009
Chuck Anderson <cra at WPI.EDU>

On Tue, Aug 18, 2009 at 04:44:47PM +0100, Karanbir Singh wrote:
> yes, that yum cgi thing you speak of - is also a massive security 
> hazard. Its the no.1 reason why noone else wants to go down that route. 
> As for the mirror network, if you are a public mirror you should be 
> pulling from the msync targets anyway ( and we try and keep those 
> controlled to ensure there is enough b/w to go around  ).

The newest incarnation of MirrorManager is better, because it uses 
https:// URLs to the master server, which then serves a Metalink URL 
file containing the mirror list along with hashes of the files.  Yum 
can then compare the secure hashes of the repomd.xml files from the 
mirrors with the hash from the genuine master as served over https to 
verify it hasn't been tampered with.  If it doesn't match, yum just 
goes onto the next mirror in the list.