[mirror-admin] Outdated mirrors?

Matt Domsch Matt_Domsch at dell.com
Wed Jul 16 16:25:06 EDT 2008 

On Wed, Jul 16, 2008 at 04:53:06PM -0300, Carlos Carvalho wrote:
> Matt Domsch (Matt_Domsch at dell.com) wrote on 16 July 2008 14:19:
>  >A config change on the Duke mirror left the account running the
>  >cronjobs unable to run cronjobs.  This has now been fixed.
>  >
>  >Separately, the iBiblio mirror was also stale (since 9-July).
> 
> Just the two tier-0 ones. Oops...

Indeed.  Interestingly, of the ~150 public mirrors, ~110 were still
listed as being up-to-date, meaning they were syncing from
download*.f.r.c directly, and not using tiering.  Which is disappointing.

 
> This shows that mirror quality control is "not so tight", since it
> doesn't happen even between masters and tier-0s... And it happened
> right when mirror security makes the headlines. Real bad luck...
> 
>  >This came up as part of a security discussion about mirrors in general
>  >recently.  We're formulating a plan to handle this, which will involve
>  >several steps:
>  >
>  >* use https to get the mirrorlist from mirrors.fp.o.
>  >* make yum check https certs
>  >* change the mirrorlist format to include info about recent repomd.xml
>  >  files, including a hash and a timestamp.  If a mirror does not have
>  >  a matching repomd.xml file, yum won't use it.  Recent will likely be
>  >  7 days, but I'm open to options.  This solves the staleness problem.
>  >* GPG-sign the repomd.xml file and check that in yum.  This solves the
>  >  "is this a legit mirror" problem.
> 
> I think an important step is to control the official mirrors tightly.
> That's the reason for their existence: they're more reliable than p2p.
> Maybe there could be another tier-2 layer, and each master/tier[01]
> controls the ones below that sync officially (ie. with access control)
> from them. I already do it for another mirror that syncs (another
> distro) from us.
> 
> A push mechanism is also good at spotting problems such as this one.

I'm very open to push mirroring, and have looked into Debian's
packages which do this, a few months ago.  I would welcome assistance,
it's not something I have time to figure out and implement widely
right now.



-- 
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

--

More information about the Mirror-admin mailing list