Issue #3411
closed
Document Implications that Pulp2 does not support metalink for rpm syncing
Description
Pulp2 does not support metalink which means that it is vulnerable to a malicious mirror replay attack whereby old packages are delivered even though there are newer packages available in the mirror network.
The recommended fix is to:
1. Clearly state that pulp_rpm does not support metalink.
2. Add a warning that states the part about that talks about a malicious mirror replay attack and links to https://patrick.uiterwijk.org/blog/2018/2/23/fedora-package-delivery-security for more details.
I am reporting on behalf of a user who reported this to me privately.
Updated by bmbouter about 6 years ago
- Tags Easy Fix added
+1 to adding this to the sprint. It's an easyfix for the docs change.
Updated by dalley about 6 years ago
- Sprint/Milestone set to 56
- Triaged changed from No to Yes
Updated by bmbouter about 6 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Added by bmbouter about 6 years ago
Updated by bmbouter about 6 years ago
- Status changed from ASSIGNED to POST
Updated by bmbouter about 6 years ago
- Status changed from POST to MODIFIED
Applied in changeset ef87f564c48ca7bcf18e7510373a3b528775f016.
Added by bmbouter about 6 years ago
Revision 8bffe902 | View on GitHub
Adds metalink clarification
https://pulp.plan.io/issues/3411 closes #3411
(cherry picked from commit ef87f564c48ca7bcf18e7510373a3b528775f016)
Added by bmbouter about 6 years ago
Revision 725b0a53 | View on GitHub
Metalink clarification
https://pulp.plan.io/issues/3411 re #3411
(cherry picked from commit a91f71df89a83aa4b80334b27b1410e59dc1b97f)
Updated by bmbouter about 6 years ago
Applied in changeset 8bffe90200d9df881600c0e1dd001ef0f30effd2.
Updated by bmbouter about 6 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
.
Adds metalink clarification
https://pulp.plan.io/issues/3411 closes #3411