Am 08.09.20 um 17:12 schrieb Neal Gompa:
On Fri, Sep 4, 2020 at 1:10 PM Brian Stinson brian@bstinson.com wrote:
While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites.
This is a very bizarre stance to take. Enabling repo_gpgcheck for the CentOS provided repos in their repo files should not harm anything else, and only further ensures the integrity of the repository content.
This was exactly my motivation for asking.
After 5 years of "maturing" it could be the default now, thought.
https://lists.centos.org/pipermail/centos/2015-May/152065.html
Is there a compelling reason to *not* change the defaults? Because from my perspective, I don't see any.
But I am not sure respectively I do not have a test scenario where this could lead to a problem. Especially in the initial setup stage where dnf/yum asks to check this but do not have the key (composer, kickstart?) - or will this be ignored by dnf/yum for those scenarios? I remember asking somewhere, if the integrity in generall gets checked (anaconda or kickstart list) but got no feedback.
JFI: https://bugzilla.redhat.com/show_bug.cgi?id=998
Once the system is installed it would ask as it is done for the normal rpm checks (gpgcheck=1).
And for the suggestion of Brian: The problem that I see with "local" configurations of repo_gpgcheck is that all files are (correctly) packaged with %config(noreplace) and that would lead to more management friction ... normaly the presets are save and do not need to be altered. Or does dnf supports drop-in configs that get merged when the repo definitions are read? :-)
-- Leon