On Tue, Sep 08, 2020 at 02:51:19PM -0400, James Cassell wrote:
On Tue, Sep 8, 2020, at 11:12 AM, Neal Gompa wrote:
On Fri, Sep 4, 2020 at 1:10 PM Brian Stinson brian@bstinson.com wrote:
While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites.
This is a very bizarre stance to take. Enabling repo_gpgcheck for the CentOS provided repos in their repo files should not harm anything else, and only further ensures the integrity of the repository content.
Is there a compelling reason to *not* change the defaults? Because from my perspective, I don't see any.
The only reason might be to prevent breaking folks who regenerate the repomd locally. Not sure whether pulp preserves the original md or regenerates its own. (I always use exactly the upstream repomd for precisely this reason of avoiding breaking repo_gpgcheck, which is often on "security hardening" checklists.)
well, no idea if the yum/dnf in CentOS/RHEL have the same issues as the Fedora versions, but there are a LOT of corner cases around signed repos.
https://bugzilla.redhat.com/show_bug.cgi?id=1247644 "dnf --cacheonly wants to import GPG key when using repo_gpgcheck"
Because dnf stores repo gpg keys in it's cache, every user has to import it/might be confused when it's not there.
https://bugzilla.redhat.com/show_bug.cgi?id=1768206 DNF prompts for GPG key import for "repo_gpgcheck=1"-repositories despite "rpm --import"-ing the keys first
This one causes dnf to prompt for the key when people don't expect it to.
and more...
There's just a lot of corner cases around this, so I would be carefull about enabling it accross the board.
kevin