On Wed, Jul 30, 2008 at 08:42:44AM -0700, Justin Cappos wrote:
You might also think about requiring the mirror's IP address to fall
in the subnet (or else they ask for your approval). This might
further complicate an attacker using this for evil.
The challenge here is
a) private servers
I was wondering if any changes have been made or are planned for
MirrorManager (i.e. preventing mirrors from arbitrary grabbing parts
of the address space). We're submitting the final version of our
paper soon (the version that will appear in print) and I'd like to
include any updates about
Yes, you clearly described one of the attacks we see with MirrorManager.
A few comments:
1) Have MirrorManager use https and return some repo verification data.
Is the verification data a signed repomd.xml? Can you expand on this a little?
By the way, before I forget it would be a good idea
Seth, James Antill, and I met a week ago to discuss. These are the
steps we believe are necessary to resolve. I didn't realize this
hadn't been posted yet.
1. repomd.xml needs to be signed. Either attached or detached sig
(advice sought). If attached, format would be
repomd/repomd
On 28 July 2008, Matt Domsch wrote:
Seth, James Antill, and I met a week ago to discuss. These are the
steps we believe are necessary to resolve. I didn't realize this
hadn't been posted yet.
1. repomd.xml needs to be signed. Either attached or detached sig
(advice sought). If
On Mon, 2008-07-28 at 14:25 -0400, Jesse Keating wrote:
On Mon, 2008-07-28 at 12:07 -0500, Matt Domsch wrote:
1. repomd.xml needs to be signed. Either attached or detached sig
(advice sought). If attached, format would be
I would prefer a detached sig, so that the checksum of
On Fri, 2008-07-25 at 19:04 -0700, Justin Cappos wrote:
Yes, you clearly described one of the attacks we see with MirrorManager.
A few comments:
1) Have MirrorManager use https and return some repo verification data.
Is the verification data a signed repomd.xml? Can you expand on this
On Mon, 2008-07-28 at 17:28 -0400, Mike McLean wrote:
On Mon, Jul 28, 2008 at 1:07 PM, Matt Domsch [EMAIL PROTECTED] wrote:
1. repomd.xml needs to be signed. Either attached or detached sig
(advice sought). If attached, format would be
I see a number of good ideas to improve the
On Mon, 2008-07-28 at 17:29 -0400, seth vidal wrote:
On Mon, 2008-07-28 at 17:28 -0400, Mike McLean wrote:
On Mon, Jul 28, 2008 at 1:07 PM, Matt Domsch [EMAIL PROTECTED] wrote:
1. repomd.xml needs to be signed. Either attached or detached sig
(advice sought). If attached, format would
On Mon, 2008-07-28 at 17:37 -0400, Jeremy Katz wrote:
On Mon, 2008-07-28 at 17:29 -0400, seth vidal wrote:
On Mon, 2008-07-28 at 17:28 -0400, Mike McLean wrote:
On Mon, Jul 28, 2008 at 1:07 PM, Matt Domsch [EMAIL PROTECTED] wrote:
1. repomd.xml needs to be signed. Either attached or
On Mon, Jul 28, 2008 at 5:29 PM, seth vidal [EMAIL PROTECTED] wrote:
On Mon, 2008-07-28 at 17:28 -0400, Mike McLean wrote:
Would it be feasible to audit the mirror content? We have the list of
mirrors, we know what the content should be. I think we'd only need to
validate the mirrored
On Mon, Jul 28, 2008 at 5:38 PM, seth vidal [EMAIL PROTECTED] wrote:
On Mon, 2008-07-28 at 17:37 -0400, Jeremy Katz wrote:
Except, of course, for mirrors which are internal to a specific site and
thus can't be contacted by MM
and if they're evil then the folks involved are screwed anyway
On 25 July 2008, seth vidal wrote:
But as you've already mentioned we're stuck with the question of EOL'd
releases and how to deal with things deeply out of date.
I can make yum throw out warnings and alerts but at what point does it
actually STOP doing anything and does that not open us
On Sat, 2008-07-26 at 13:06 -0400, Josh Bressers wrote:
This is of course a policy decision that can be dictated via a
configuration file.
But our default is what people will use which is what we need to get
straight.
There is also the issue of what happens when the
client keeps getting
On 21 July 2008, Josh Bressers wrote:
On 19 July 2008, Justin Cappos wrote:
By the way, did you remove the ability for mirror admins to select a
subnet where they'll serve all of the traffic? We're particularly
concerned about this issue in the short term. We took our mirror
down
On Fri, 25 Jul 2008, Mike McGrath wrote:
On Fri, 25 Jul 2008, Josh Bressers wrote:
On 21 July 2008, Josh Bressers wrote:
On 19 July 2008, Justin Cappos wrote:
By the way, did you remove the ability for mirror admins to select a
subnet where they'll serve all of the traffic?
On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
AFAIK, this service is still in place and working fine. Though I am a
little confused about the question. It sounds like you'd like to direct
all subnet traffic to a specific mirror. But you're also saying you took
your mirror down.
On 25 July 2008, Mike McGrath wrote:
On Fri, 25 Jul 2008, Mike McGrath wrote:
On Fri, 25 Jul 2008, Josh Bressers wrote:
On 21 July 2008, Josh Bressers wrote:
On 19 July 2008, Justin Cappos wrote:
By the way, did you remove the ability for mirror admins to select a
On Fri, Jul 25, 2008 at 10:43:59AM -0500, Mike McGrath wrote:
On Fri, 25 Jul 2008, Jesse Keating wrote:
On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
AFAIK, this service is still in place and working fine. Though I am a
little confused about the question. It sounds like
On Fri, 25 Jul 2008, Matt Domsch wrote:
On Fri, Jul 25, 2008 at 10:43:59AM -0500, Mike McGrath wrote:
On Fri, 25 Jul 2008, Jesse Keating wrote:
On Fri, 2008-07-25 at 10:37 -0500, Mike McGrath wrote:
AFAIK, this service is still in place and working fine. Though I am a
On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
On 25 July 2008, Matt Domsch wrote:
Yes, this is a known challenge with subnet delegation in
MirrorManager. We're trusting package signing (and soon, repodata
signing) to prevent rogue mirrors from issuing unsigned data. In
On 25 July 2008, Matt Domsch wrote:
On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
On 25 July 2008, Matt Domsch wrote:
Yes, this is a known challenge with subnet delegation in
MirrorManager. We're trusting package signing (and soon, repodata
signing) to prevent
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Domsch wrote:
On Fri, Jul 25, 2008 at 12:46:15PM -0400, Josh Bressers wrote:
On 25 July 2008, Matt Domsch wrote:
Yes, this is a known challenge with subnet delegation in
MirrorManager. We're trusting package signing (and soon, repodata
Of Justin Samuel
Sent: Friday, July 25, 2008 1:36 PM
To: Domsch, Matt
Cc: Josh Bressers; Mike McGrath; fedora-infrastructure-list@redhat.com;
Justin Cappos; [EMAIL PROTECTED]
Subject: Re: YUM security issues...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Domsch wrote:
On Fri, Jul 25, 2008
On 25 July 2008, Matt Domsch wrote:
On Fri, Jul 25, 2008 at 01:52:26PM -0400, Josh Bressers wrote:
That's a lot of IPs though. Can I request multiple /16s, or only one?
As many as you like. And recall, such changes are made using your FAS
credentials.
Are these ever checked? Does say a
Josh Bressers wrote:
On 25 July 2008, Matt Domsch wrote:
On Fri, Jul 25, 2008 at 01:52:26PM -0400, Josh Bressers wrote:
That's a lot of IPs though. Can I request multiple /16s, or only one?
As many as you like. And recall, such changes are made using your FAS
credentials.
Are these ever
On Fri, 2008-07-25 at 18:41 -0700, Toshio Kuratomi wrote:
3) Always get repo data from fedoraproject.org (probably not practical due
to resource issues)
This is the easiest to implement. It means the small repomd.xml file
always comes from our server. But the rest of the metadata can
27 matches
Mail list logo