On Wed Jan 15, 2003 at 08:39:38PM +0100, JP wrote: [...] > > Yup. You can use urpmi and use whatever mirror you like to get > > updates. This should be just as secure as the "for pay" mirror... ie. > > md5sums are available and the file is GPG clearsigned. RPM packages > > can be validated via md5 and gpg sigs. > > thank god, no micro$$$oft practices.
Absolutely not. Thats not at all what we're intending to do. > > The primary advantage to the for pay updates is you will have access to > > them instantly. I don't know what the infrastructure for the updates > > is, but I imagine there will be next to no delay for updates... you > > would get them almost immediately. Relying on third-party mirrors > > means a little bit of a delay, so it depends on how quickly you want > > your firewall patched up (if speed is important to you, getting > > "priority" updates may well be what you need/want). You also wouldn't > > have to worry about free mirrors being clogged when new distribs are > > released... anyone try to update software the day of a new Mdk or RH > > release? Have fun getting into most public mirrors that week. > > no problem for me :-) > I must admit though that this may indeed be a serious problem to many > people, certainly if it is about some critical security update. Right. And if it's important, then you should be willing to spend money on it, no? Look at it this way. We can provide "priority" FTP access to a mirror of our own if we really wanted to, but in the end this costs us a *lot* of money. Because everyone will want to use the official FTP site. So we pay bandwidth and whatnot for everyone to get updates from us. That's not a very good business model, especially considering the current financial situation. So, in order for you to get a service, you need to pay for it. Now, I don't know how much it costs, so I can't say if this something geared more towards the corporate world or the personal user. If you want updates quickly from a secure source, you need to pay for the privilege. Otherwise, you deal with third-party mirrors that may or may not be reliable, and that may have a few hours delay. If it's absolutely critical to you, you will pay. This is not a new way of doing business; many companies do similar to this. Correct me if I'm wrong, but I believe RH does something similar with their up2date stuff. [...] > > Nope, not at all. You're paying for access to a private FTP site. The > > updates themself are "free"; meaning publically available to anyone who > > wants them. Access to the private FTP site is the real issue here. > > > > I agree that it wasn't clearly worded, so I hope this provides a little > > less confusion for those who would like to use MNF but have some > > reservations thinking you might be charged for security updates. > > it does clarify alot indeed. Ok good... =) > as for the 'delay' one experiences when using mirror sites, I guess it > basically comes down to what one uses the box for. > > a home user will generally care less about such things, and also have a > smaller budget than say a corporate it department guy. apart from that, > mnf like snf is to be used as a firewall/nat router. once properly setup, > such a machine should not be running any services except a (local lan > only) sshd, leaving virtually no possiblities for intrusion but the ssh > packages (or a highly unlikely kernel networking related bug). > > in the end, it's all about priorities ;-) Exactly. And you get what you pay for. If you pay nothing, don't sit back, do nothing, and complain that you got nothing. =) -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg64392/pgp00000.pgp
Description: PGP signature
