Paul Dwerryhouse wrote:
On Mon, Sep 12, 2005 at 10:00:46AM +1000, O Plameras wrote:
This is not my idea. This is the whole concept of TRUST in Mirroring
System. If mirrors changes files and/or keys who do you trust ?
How do you know that you can trust the person running the mirror you use?
Different persons have different yard sticks for deciding whether to
TRUST or NOT
TRUST mirrors. In my case, some yardsticks are longevity of reliable
service; endorsements
or lack of endorsements by the Internet; and authentification certificates.
You just TRUST or DO NOT a mirror site. Clearly, if you don't then
don't use it at all.
But it is BAD practice to selectively trust ( or not trust) a mirror.
Don't get me wrong,
when I don't trust a mirror, it does not mean that mirror is malicious.
Why do you think mirroring works and used ?
Mirrors are used because they bring the data closer to the people who
need it, and reduce the load on the upstream servers.
They are trusted only because people are too lazy to learn how to check
whether the packages are the same as those being distributed upstream.
They should not be blindly trusted.
Paul
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
