-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-02-15 a las 14:56 +0100, Roger Oberholtzer escribió:
On Wed, Feb 15, 2017 at 2:30 PM, Carlos E. R. <> wrote:
The thing is, it is not zypper which decides the mirror to use, but the mirrorbrain at the download server.
Your people would have to decide to clear not a server outside, but one inside. The one that creates an internal mirror. Install an antivirus in that machine, and do the scanning in there. Suspect files are notified, and you clear them manually after confirmation. While the mirror sync job is working, the server does not serve the LAN.
I have had a machine in the DMZ. It provided a few services. This is a tricky machine in that the IT guys have an external company that tries to exploit things that are exposed. They are ruthless. I have been trying to minimize the things this machine does to the bare minimum so that there is less for them to complain about. I don't really want to have it become a mirror.
I was not thinking of a mirror in the DMZ. Just one designed together with the IT guys. If they insist, it can be a Windows Server machine... Just one machine that is allowed to download files without prior scanning virus, but scanning later and using quarantine, not delete. And scanning specifically for Linux viruses. Hopefully running in Linux. When that machine starts syncing, it has to disable http server, till the virus scan is run. Notice that this is safer, from paranoid point of view, than whitelisting an URL...
I had guessed that the mirror redirection was done as you described. Too bad the mirror is not opaque and that the local system still just sees download.opensuse.org.
That's intentional: otherwise it is impossible to find which mirror is misbehaving. Your easier bet is to not use the download at opensuse server, but some of the mirrors directly. A number of them if needed. - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlikaNEACgkQja8UbcUWM1yfJgD/fbrPkpX1jzEoFpJVrm3nBX3I UcsFYNBiLDDrhLkiR68A/Au6W/fQ8MOC/oZAAtVlYjEQdmm/jINzQ72v/agmeV46 =6j81 -----END PGP SIGNATURE-----