[mirror-admin] Outdated mirrors?
Carlos Carvalho
carlos at fisica.ufpr.br
Wed Jul 16 15:53:06 EDT 2008
Matt Domsch (Matt_Domsch at dell.com) wrote on 16 July 2008 14:19:
>A config change on the Duke mirror left the account running the
>cronjobs unable to run cronjobs. This has now been fixed.
>
>Separately, the iBiblio mirror was also stale (since 9-July).
Just the two tier-0 ones. Oops...
This shows that mirror quality control is "not so tight", since it
doesn't happen even between masters and tier-0s... And it happened
right when mirror security makes the headlines. Real bad luck...
>This came up as part of a security discussion about mirrors in general
>recently. We're formulating a plan to handle this, which will involve
>several steps:
>
>* use https to get the mirrorlist from mirrors.fp.o.
>* make yum check https certs
>* change the mirrorlist format to include info about recent repomd.xml
> files, including a hash and a timestamp. If a mirror does not have
> a matching repomd.xml file, yum won't use it. Recent will likely be
> 7 days, but I'm open to options. This solves the staleness problem.
>* GPG-sign the repomd.xml file and check that in yum. This solves the
> "is this a legit mirror" problem.
I think an important step is to control the official mirrors tightly.
That's the reason for their existence: they're more reliable than p2p.
Maybe there could be another tier-2 layer, and each master/tier[01]
controls the ones below that sync officially (ie. with access control)
from them. I already do it for another mirror that syncs (another
distro) from us.
A push mechanism is also good at spotting problems such as this one.
--
More information about the Mirror-admin
mailing list