Issue #3411: Document Implications that Pulp2 does not support metalink for rpm syncing - RPM Support - Pulp

Actions

Send by e-mail Copy link

Issue #3411

closed

Document Implications that Pulp2 does not support metalink for rpm syncing

Added by bmbouter about 6 years ago. Updated about 5 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

bmbouter

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

2.15.3

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Documentation, Easy Fix, Pulp 2

Sprint:

Sprint 33

Quarter:

Description

Pulp2 does not support metalink which means that it is vulnerable to a malicious mirror replay attack whereby old packages are delivered even though there are newer packages available in the mirror network.

The recommended fix is to:
1. Clearly state that pulp_rpm does not support metalink.
2. Add a warning that states the part about that talks about a malicious mirror replay attack and links to https://patrick.uiterwijk.org/blog/2018/2/23/fedora-package-delivery-security for more details.

I am reporting on behalf of a user who reported this to me privately.

Actions

Send by e-mail Copy link

Also available in: Atom PDF

Project

Profile

Help

RPM Support

Agile boards

Custom queries

Issue #3411

Document Implications that Pulp2 does not support metalink for rpm syncing

Updated by bmbouter about 6 years ago

Updated by dalley about 6 years ago

Updated by bmbouter about 6 years ago

Added by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Added by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Added by bmbouter about 6 years ago

Added by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 5 years ago