Features/YumMetalinks

= YumMetalinks =

Summary
Metalinks provide a way for yum to protect against (maliciously or accidentally) stale mirrors from being used by clients.

MirrorManager deployed for Fedora 10 has the ability to produce Metalinks. Yum in Fedora 10 has the ability to use Metalinks.

Owner

 * Name: Matt Domsch, James Antill

Current status

 * Targeted release: Fedora 11
 * Last updated: 2008-11-15
 * Percentage of completion: 85%

Benefit to Fedora
Securely provide the mirrorlist, and only point users to known current and accurate mirrors. Protect against man-in-the-middle attacks while providing mirrorlists to clients. Protect against maliciously stale mirrors serving content with known security bugs which have already been fixed and releases updated, but the stale mirror chooses not to serve such.

Scope
Yum, MirrorManager, python-urlgrabber updates.

Test Plan
Enable metalinks in yum repo files. See MirrorManager. Will wish to do this in rawhide early in Fedora 11 process for fedora-release, however any Fedora user can do this on Fedora 9 or Fedora 10 now (as it's forwards and backwards compatible).

In your /etc/yum.repos.d/fedora*.repo files, comment out the mirrorlist lines:

mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch

and add a similar metalink line, replacing mirrorlist with metalink and http with https:

metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch

User Experience
Should be identical to today with mirrorlist configuration, but more secure.

However the "mirrorlist" you get from metalink is now tied directly to the repo. metadata, so if your mirror doesn't sync often enough (within 1 week, by default) ... or MirrorManager doesn't update the metalink data before a mirror gets it's data. Then the repo. can become unusable (as the data is considered not valid).

Also this is very likely to be the first time that most people have used yum/yumex/PK/etc. with anything on HTTPS.

Dependencies
python-urlgrabber to handle https cert validation from trusted certificate authorities.

Contingency Plan
Ship w/ https enabled, recognizing this deficiency.

Ship w/ plain http based metalink.

Worst case remove the metalink configuration and thus. continue as F10 and earlier, not using metalinks.