Mailinglist Archive: zypp-devel (64 mails)
| < Previous | Next > |
[zypp-devel] Re: fallback mirrors (was: [opensuse-factory] update-mirrors out of sync - please remove these hazardous sites from the list/redirectors)
- From: Peter Poeml <poeml@xxxxxxx>
- Date: Mon, 21 Jul 2008 22:16:37 +0200
- Message-id: <20080721201637.GS19669@xxxxxxx>
Hi Rajko,
I'm posting this followup to the zypp-devel list, since it better fits
there than on opensuse-factory.
On Fri, Jun 20, 2008 at 12:34:50PM +0200, Peter Poeml wrote:
Thanks for adding this bit to the wiki page. [1]
I added the following note about security.
''Moreover, for security reasons it might be more reasonable to preconfigure
clients only with one or two "trusted" mirrors, and not with the full list. It
might be preferrable to delay updates on the client until the origin server is
reachable again, rather than exposing the client to rogue mirrors.'' It is
noteworthy that the origin server (download.opensuse.org) does not redirect for
metadata and signatures to any mirror, so the clients always get those critical
files from the origin site. If clients are using mirrors directly, the tradeoff
is that they are less secure.
Peter
[1] http://en.opensuse.org/Libzypp/Failover
--
Contact: admin@xxxxxxxxxxxx (a.k.a. ftpadmin@xxxxxxxx)
#opensuse-mirrors on freenode.net
Info: http://en.opensuse.org/Mirror_Infrastructure
SUSE LINUX Products GmbH
Research & Development
I'm posting this followup to the zypp-devel list, since it better fits
there than on opensuse-factory.
On Fri, Jun 20, 2008 at 12:34:50PM +0200, Peter Poeml wrote:
Client that can use failover mirrors can have list of mirrors already
included
out of the box, so if redirector is offline in the moment of installation,
that list can be used. It can be obsolete, but if client has ability to
switch to another mirror it will find good one in the list.
Yes, that would be one way to deal with the "Internet gone fishing" or
"Redirector gone fishing" situation during installation.
Feel free to add it to the wiki page.
Thanks for adding this bit to the wiki page. [1]
I added the following note about security.
''Moreover, for security reasons it might be more reasonable to preconfigure
clients only with one or two "trusted" mirrors, and not with the full list. It
might be preferrable to delay updates on the client until the origin server is
reachable again, rather than exposing the client to rogue mirrors.'' It is
noteworthy that the origin server (download.opensuse.org) does not redirect for
metadata and signatures to any mirror, so the clients always get those critical
files from the origin site. If clients are using mirrors directly, the tradeoff
is that they are less secure.
Peter
[1] http://en.opensuse.org/Libzypp/Failover
--
Contact: admin@xxxxxxxxxxxx (a.k.a. ftpadmin@xxxxxxxx)
#opensuse-mirrors on freenode.net
Info: http://en.opensuse.org/Mirror_Infrastructure
SUSE LINUX Products GmbH
Research & Development
| < Previous | Next > |