[CentOS-mirror] mirror manager

Fri Aug 21 10:44:08 UTC 2009
Karanbir Singh <mail-lists at karan.org>

On 08/21/2009 04:41 AM, Chuck Anderson wrote:
>
> "CA cert checking integrated (both ways)."

This works, you can use the yum rpms presently in c5-testing to make 
sure. But it would only work for 5.4+ clients.

> "Yum in Fedora 10 and higher can process the mirror list in metalink
> format, which provides additional security checking capability. Yum
> compares the SHA1 checksums of each repository's repomd.xml file
> against that of the master mirrors. This ensures that significantly
> out-of-date mirrors are not used."

Much like bittorrent - remember there are many people who question the 
whole purpose of metalinks :) In this case, I think its just overdoing 
something essentially simple. And, there are better, client centric ways 
of doing this work, some which need more development done on.

btw, there is also the gpg signing of repomd's...

> So we are getting there, but perhaps not quite perfect yet.  Things
> are already much better than they were before.

the issue that most Fedora people seem unable to comprehend is that 
there is a whole world out there that does not reload every 6 months - 
therefore being able to track back and maintain some level of 
compatibility with the slightly older code base is something that 
confines much of what Fedora does today, to within Fedora lands. Some of 
these things might perculate down  but then when they do, Fedora has 
moved onto other things.[1]

Reason I say this is  that we cant just jump in and follow for Fedora is 
doing for the reason that we have a much longer and a broader product 
cycle and there is little ( many times none ) interest there to maintain 
and work with things they consider old and outdated. So while looking at 
MirrorManager is something we might be able to do today  - whatever 
changes we make into the CentOS system need to be things that we know 
and can maintain in house. Many times that means rewriting based on and 
around our specific requirements.


- KB

[1]: It is refreshing and make me quite happy to see some of the 
infrastructure and tooling sub-projects / Fedora-upstreams take a more 
pragmatic approach on these things.

-- 
Karanbir Singh : http://www.karan.org/  : 2522219 at icq