But if mirrors are randomized and yum won't downgrade?
Posted Apr 9, 2009 3:29 UTC (Thu) by JoeBuck
Parent article: Attacks on package managers
With Fedora, yum selects a mirror at random, and if I understand correctly, yum won't do a downgrade by default. So it would seem that taking over one mirror would not be enough: you might be able to get a system that didn't have a vulnerable package at all to install it, but how would you turn it on (if it's a service)? If the attacker is limited to shipping signed packages, the opportunities seem limited given that yum won't downgrade and the user will occasionally hit other mirrors, which would upgrade past the insecure package.
On the other hand, using the yum-fastestmirror plugin would make you vulnerable to the security of your fastest (usually your nearest) mirror.
I suppose the paranoid could write a yum plugin that checks at least three mirrors looking for newest versions of a package.
to post comments)