On 26/02/16 15:42, Johnny Hughes wrote:
CentOS is a community project and we have lots of external, NON-CentOS mirrors for several items. While that is NOT currently happening for cloud.centos.org, it very well could in the future. At that point, we lose control over the setup of the machines, etc. That is the whole purpose of signing RPMs and signing the shasum files .. so you can verify them regardless of the mirror.
so, maybe a script or some details on how one can get the keys from www.centos.org/keys ? and have the script itself hosted behind https on the keys page ?
w.r.t the images/ i dont think we should add the non versioned files to the sha sum's - since that will constantly be changing, atleast once a month. It might be better to have a README file in that dir that shows up when someone looks at the dir listing, and have that explain the setup ?