On 9/4/20 12:09 PM, Brian Stinson wrote:
On Fri, Sep 4, 2020, at 10:36, Leon Fauster via CentOS-devel wrote:
Am 04.09.20 um 16:08 schrieb Johnny Hughes:
On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote:
Hi,
I wonder if it would be not beneficial enabling repo_gpgcheck for all centos repos? A short cross check shows that also SIG repos have repomd.xml signed. mirror.centos.org has no TLS enabled and repo_gpgcheck would add an additional security layer per default? This could be started for EL8? Or are there any barries?
--
It is on almost all repos ..
C6, c7, and c8
The reason mirror.centos.org is not https is many machines are donated .. and could be taken away 9reclaimed) by the donors, who have physical control of the machines. We don't want 'private' keys on those donated machines and the reason we created repo_gpgcheck repos.
Sure, this applies to TLS. Therefore I was suggesting to enable repo_gpgcheck for all CentOS repos in the _configuration files_. The default is false or are they enabled elsewhere?
# grep repo_gpgcheck /etc/yum.repos.d/C* # echo $? 1
-- Leon
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites.
—Brian
Agreed.