(slashdot)Package Managers As Achilles Heel
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Sun Aug 17 15:19:00 UTC 2008
Marcelo M. Garcia wrote:
> Hi.
>
> I'm assuming that something similar to this might happened:
> Package Managers As Achilles Heel
> http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss
>
> It would help a lot if someone of the infrastructure team explains what
> is going on. What raised their suspicious? What we, as users, should do?
>
> Regards
>
> Marcelo
>
Two things bother me about this. First of all, most users are not
using the same mirror all the time, so there would only be a brief
window that the system would be vulnerable. The second thing is that
yum is not going to install an older package, and the package
version is not dependent on the file name. It is part of the
information in the RPM. So they could delay the installation of an
update on some systems. By default, yum picks a mirror at random
from the mirror list to help spread the load on the mirrors.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080817/820bac26/attachment-0001.sig>
More information about the fedora-list
mailing list