On 05/01/17 09:22, Laurentiu Pancescu wrote:
Hi there,
I stumbled upon an older post by Johnny Hughes about gpg-checking the repository metadata. [1] In the mean time, we seem to have signed metadata not only for "updates", but also for "base", "extras" and "centosplus" (just the "base" signature for CentOS Linux 6 is missing).
What are the reasons for not enabling the repo gpg check in our default installation? Would it be a bad idea to do that in our Vagrant images?
if all the metadata is now signed, the corresponding centos-release can carry the gpgcheck enabled.
as a distro flag - this is a huge change. We just need to make sure ( quantify ? ) that we dont break existing installs. In most cases, this is just a case of orchestrating it right ( ie, maybe centos-release with the enabled flag needs to the staged out, in a way that only people with all the repos signed are going to see this new file, and do it as a second cycle ).
Regards