Revision as of 18:49, 15 November 2008

YumMetalinks

Summary

Metalinks provide a way for yum to protect against (maliciously or accidentally) stale mirrors from being used by clients.

MirrorManager deployed for Fedora 10 has the ability to produce Metalinks. Yum in Fedora 10 has the ability to use Metalinks.

Owner

Name: Matt Domsch, James Antill

Current status

Targeted release: Fedora 11
Last updated: 2008-11-15
Percentage of completion: 85%

Sub-task	Percent Complete	Notes
MirrorManager produces metalinks	100
Yum groks metalinks	100
mirrors.fedoraproject.org serves https	100
yum uses https and validates https certificates	25	yum (urlgrabber) can use https, but does not yet validate https certs.

Detailed Description

Benefit to Fedora

Securely provide the mirrorlist, and only point users to known current and accurate mirrors. Protect against man-in-the-middle attacks while providing mirrorlists to clients. Protect against maliciously stale mirrors serving content with known security bugs which have already been fixed and releases updated, but the stale mirror chooses not to serve such.

Scope

Yum, MirrorManager, python-urlgrabber updates.

Test Plan

Enable metalinks in yum repo files. See MirrorManager. Will wish to do this in rawhide early in Fedora 11 process.

User Experience

Identical to today with yum repo files, but more secure.

Dependencies

python-urlgrabber to handle https cert validation from trusted certificate authorities.

Contingency Plan

Ship w/ https enabled, recognizing this deficiency. Or continue as F10 and earlier, not using metalinks.

Documentation

Release Notes

Comments and Discussion

@@ Line 45: / Line 45: @@
 == Test Plan ==
-Enable metalinks in yum repo files.  See [[:MirrorManager]].
+Enable metalinks in yum repo files.  See [[:MirrorManager]].  Will wish to do this in rawhide early in Fedora 11 process.
 == User Experience ==

Search

Features/YumMetalinks: Difference between revisions