[Yum] centralized metadata for security

Muayyad AlSadi alsadi at gmail.com
Fri Nov 7 23:34:50 UTC 2008


> but repomd.xml isn't at issue, actually. The metadata you're concerned
> with is impacted by --unique-md-filenames.

sure, and that --unique-md-filenames is very smart

but what if the mirror gave me a CGI generated repomd.xml having the
same time timestamp as the request and then yum will ignore the real
repomd.xml and will assume that any mirror having the real sums to be
the corrupted ones

> I believe the metalinks one will be available and fedora SHOULD be gpg
> signing repomd.xml files in F10 though I'm not positive what the status is
> on that.

looking forward
because while using yumdownloader to compose my own media
it gave me some rpms with corrupted sums (I noticed that when I run
repomanago -o .)
I did not report it because I could not reproduce it because each time
I got different mirrors

but this could be related
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=470380


More information about the Yum mailing list