[mirror-admin] reducing "allowed stale" time from 7 days

[Matt Domsch]

There has been some concern raised in the security community about
potentially malicous mirrors attempting to serve content to Fedora
users. [1] page 6 cff.

As of Fedora 11, yum will default to using the new metalink-based
mirrorlist file, which includes the timestamp and SHA{1,256,512} of
each repository's repomd.xml file.

MirrorManager adds an extension to the standard metalink format,
whereby it provides the timestamp and SHA* values for repositories
that have changed over the last few days, keeping (at the moment), the
last 7 days worth of such.  Yum will honor mirrors which are up to 7
days "stale" then.

In an effort to reduce the possible window in which a maliciously
stale mirror could attack users.  The window is currently the above 7
days.  I believe this provides more than sufficient time for every
mirror to have downloaded the new content.  I'd like to consider
reducing this window to, say, 1 or 2 days.

At the same time, the MM crawler was adapted last week to run more
frequently (every couple hours now), and to verify the mirror's
repomd.xml file.  If it doesn't match what is current, the mirror is
marked not up-to-date.  Now, a maliciously stale mirror could report
to the MM crawler the current repomd.xml, while serving a stale
repomd.xml to downstream clients.  The above 7-day (or reduced) window
limits how stale they can be.

So, the question for mirrors is - are you able to sync updates within
24-48 hours of their being published?

Thanks,
Matt



[1] http://www.usenix.org/publications/login/2009-02/openpdfs/samuel.pdf

-- 
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

--