On Tue, 18 Aug 2009, Chuck Anderson wrote: > The newest incarnation of MirrorManager is better, I see at RawHide ... nothing [herrold at centos-5 ~]$ date ; srcfind MirrorManager Tue Aug 18 12:36:25 EDT 2009 /home/herrold/.tmp/srcfind.cache.txt MirrorManager nil [herrold at centos-5 ~]$ URL please > because it uses https:// URLs to the master server, which > then serves a Metalink URL file containing the mirror list > along with hashes of the files. and what revocation list checking exists and is implemented? Are the hashes signed? If so, when and with what key security model? traceable to what CA root set? -- so far all I see is a potential for transit security of a file against a MitM > Yum can then compare the secure hashes 'can' is not 'does' -- version/release please? Is this in our yum, or if not what adds it, so I can examine the model's assumptions ehhh? 'secure hashes' how? What is being compared here? > of the repomd.xml files from the mirrors with the hash from > the genuine master as served over https to verify it hasn't > been tampered with. If it doesn't match, yum just goes onto > the next mirror in the list. -- Russ herrold