Re: get the lead out of repos



David Bolt wrote:

On Tuesday 23 Mar 2010 08:38, while playing with a tin of spray paint,
Darklight painted this mural:

how well can you trust those mirrors

How well can you trust _any_ mirror? Kernel.org is listed as one of the
mirrors for openSUSE, and so Novell believes they are trustworthy.

Nothing to do with Novell, nor openSUSE. It is relative easy to become
openSUSE mirror, but the magic that provides trust is not in a package
management alone. It is package management in combination with
http://download.opensuse.org ie. http://mirrorbrain.org/ that is serving
repository metadata from single source and managing redirects.

As long as you don't use script in a first post that will force package
management software to pick repository meta information from mirror, but
leave http://download.opensuse.org as source of that information, you can
trust any mirror as much as you trust openSUSE, provided that you don't
ignore warnings about wrong checksums, signatures etc.

As soon as you use mirror as source of repository meta information you
better use trusted mirror.

Mirror operator has power to replace meta information and install on your
computer anything using the same package management that is trustworthy when
used in combination with http://download.opensuse.org .


[1] http://www.cs.arizona.edu/stork/packagemanagersecurity/
The claim that all are vulnerable is not really correct, which can be seen
in "Other Attacks":
http://www.cs.arizona.edu/stork/packagemanagersecurity/otherattacks.html

If you want to be safe use YaST :)



--
Regards Rajko,
.