On Wed, Dec 07, 2005 at 01:18:32AM -0600, William A. Rowe, Jr. wrote: > Do mirrors even validate any server signature for rsync? If not this > argument is blowing smoke. For that matter, we could even endorse the > use of ssl privately to our mirrors on the backend, with server cert > validation to avoid exactly what you describe above, as well as any > number of man in the middle attacks. In fact, it seems this would be > much more robust than today's rsync, in terms of security.
Yep, if we could do the pull over https, that would solve this. > >I generally discourage ftp mirrors. But yes, they would continue to > >need to do rsync. > > Why? I'm not certain, but expect there are ways to play with wget to > fetch only new/changed files. If not, perhaps it's time to teach wget > some new tricks :) If you dropped rsync, we'd lose most of the mirrors. They absolutely won't be interested in that kind of poking. -- Colm MacCárthaigh Public Key: [EMAIL PROTECTED]