Package manager vulnerability study flawed ?
A study from the University of Arizona (recently posted on slashdot) looked at weaknesses in package managers (and mirror setup). By becoming an official mirror and delaying or stalling a mirror's updates they tried to lower the security of servers using that mirror and increasing the window of opportunity for a successful attack.
In itself it is very useful to make people aware of weaknesses in technology or abuse of trust, but in this case (and certainly for CentOS) I think they overstated the impact or at least ignored mechanisms used to prevent possible security risks.
By default CentOS uses yum with mirrorlist enabled. This means that instead of using a single mirror all the time, you are not using one, but different mirrors. This reduces the risk of a single mirror being out-of-date somewhat. But next to that CentOS has several tiers of mirrors depending on the update-frequency of each mirror (and the form of control the CentOS project has of those mirrors).
And the mirrorlist that CentOS users actually use is being created based on the correctness of the individual mirrors, we are continuously verifying mirror content, metadata, filesizes and signatures on checksums. This means that CentOS users are only working with an up-to-date mirrorlist and mirrors that stall or delay packages are left out of this mirrorlist. You can see how it works on the CentOS mirror status page.
Unfortunately this mechanism was not mentioned in the study.
The conclusion seems to be that any theoretical risk is very minimal and indirect, however some of the recommendations for improving the package manager's robustness should definitely be taken seriously by their developers.
Update: CentOS developer Johnny Hughes blogged about the same topic.