Uiterwijk: Fedora package delivery security

On his blog, Patrick Uiterwijk writes about about Fedora packaging and how the distribution works to ensure its users get valid updates. Packages are signed, but repository metadata is not (yet), but there are other mechanisms in place to keep users from getting outdated updates (or to not get important security updates). "However, when a significant security issue is announced and we have repositories that include fixes for this issue, we have an 'Emergency' button. When we press that button, we tell our servers to immediately regard every older repomd.xml checksum as outdated. This means that when we press this button, every mirror that does not have the very latest repository data will be regarded as outdated, so that our users get the security patches as soon as possible. This does mean that for a period of time only the master mirrors are trusted until other mirrors sync their data, but we prefer this solution over delaying getting important fixes out to our users and making them vulnerable to attackers in the meantime."

Comments (12 posted)