On Mon, Sep 12, 2005 at 10:36:36AM +1000, O Plameras wrote: > You just TRUST or DO NOT a mirror site. Clearly, if you don't then > don't use it at all.
Again I ask, how do you know that you can trust the person running the mirror you use? How do you know that you can even trust the DNS entry that you're getting for that mirror? I used to be the sysadmin for an ISP that served around a million or so users, the vast majority of whom used the caching DNS servers that we provided. If I'd been a black-hat type, I'd have had ample opportunity to hijack the domain names that people were getting for various mirrors. If this happened in real life, then anyone who implicitly trusted these mirrors (and, for that matter, their DNS), could easily have been compromised. > But it is BAD practice to selectively trust ( or not trust) a mirror. The only bad practice is to trust a mirror at all. If you don't use some sort of signature checking of the files you're getting from it, you run the risk of using a file that is not what you were intending to get. Selectivity doesn't even come into it. Paul -- Paul Dwerryhouse | PGP Key ID: 0x6B91B584 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
