On Tue, Aug 18, 2009 at 04:44:47PM +0100, Karanbir Singh wrote: > yes, that yum cgi thing you speak of - is also a massive security > hazard. Its the no.1 reason why noone else wants to go down that route. > As for the mirror network, if you are a public mirror you should be > pulling from the msync targets anyway ( and we try and keep those > controlled to ensure there is enough b/w to go around ). The newest incarnation of MirrorManager is better, because it uses https:// URLs to the master server, which then serves a Metalink URL file containing the mirror list along with hashes of the files. Yum can then compare the secure hashes of the repomd.xml files from the mirrors with the hash from the genuine master as served over https to verify it hasn't been tampered with. If it doesn't match, yum just goes onto the next mirror in the list.