Dear openSUSE and SUSE Linux Enterprise users, Several news sites recently published articles citing a report about attacks on package managers [1]. Some unfortunately chose a wording that could be misunderstood as if a rogue mirror server could trick YaST into installing malicious software when applying regular (security-)updates. This is not the case. All official update repositories for SUSE Linux based products use cryptographically signed packages and meta data. YaST verifies the cryptographic signatures and rejects any file whose signature doesn't match. Therefore it's not possible for a rogue mirror to introduce malicious software. Another problem outlined in the report was that mirror servers could intentionally serve an old version of the update repository. Therefore clients using that mirror would not get the latest security updates and potentially stay vulnerable to known and presumably already fixed problems. SUSE already addresses this issue too. - Firstly, YaST will not automatically downgrade installed packages. Therefore an outdated repository can not undo an already applied security fix. - Secondly, starting with version 10.3 openSUSE uses a central download redirector that directly serves the meta data. Stale mirrors are therefore detected immediately. To avoid sending clients to mirrors that do not have certain files (yet), the download redirector also continuously monitors it's mirrors. It only redirects to servers that are known to have the file in question. For SUSE Linux enterprise products only servers owned by Novell are used via secure https connections. cu Ludwig [1] http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-pa... -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)