[mirror-admin] reducing "allowed stale" time from 7 days
J.H.
warthog9 at kernel.org
Sun Apr 12 20:38:37 EDT 2009
I would say this *shouldn't* be a problem, but if mirrors are going to
be syncing more often (just to make sure they are up to date) then I
would have to jump back on my soap box about making the rsync excludes
list more generic somehow and allow / force all mirrors to make use of
it for most of their syncs (I can still appreciate a full sync on
occasion, say once a week, just to make sure you didn't miss something)
That said I have seen, in particularly, right around release time where
the sync rate can plummet from say 45minutes or so (on the long side) to
who knows how long particularly if the master server gets bogged down
and rsyncs start getting dropped on the floor. Something to keep in
mind with respect to marking things stale. That said I think we are
still good with respect to something like 48hrs.
- John 'Warthog9' Hawley
Matt Domsch wrote:
> There has been some concern raised in the security community about
> potentially malicous mirrors attempting to serve content to Fedora
> users. [1] page 6 cff.
>
> As of Fedora 11, yum will default to using the new metalink-based
> mirrorlist file, which includes the timestamp and SHA{1,256,512} of
> each repository's repomd.xml file.
>
> MirrorManager adds an extension to the standard metalink format,
> whereby it provides the timestamp and SHA* values for repositories
> that have changed over the last few days, keeping (at the moment), the
> last 7 days worth of such. Yum will honor mirrors which are up to 7
> days "stale" then.
>
> In an effort to reduce the possible window in which a maliciously
> stale mirror could attack users. The window is currently the above 7
> days. I believe this provides more than sufficient time for every
> mirror to have downloaded the new content. I'd like to consider
> reducing this window to, say, 1 or 2 days.
>
> At the same time, the MM crawler was adapted last week to run more
> frequently (every couple hours now), and to verify the mirror's
> repomd.xml file. If it doesn't match what is current, the mirror is
> marked not up-to-date. Now, a maliciously stale mirror could report
> to the MM crawler the current repomd.xml, while serving a stale
> repomd.xml to downstream clients. The above 7-day (or reduced) window
> limits how stale they can be.
>
> So, the question for mirrors is - are you able to sync updates within
> 24-48 hours of their being published?
>
> Thanks,
> Matt
>
>
>
> [1] http://www.usenix.org/publications/login/2009-02/openpdfs/samuel.pdf
>
--
More information about the Mirror-admin
mailing list