On 01/05/2017 09:20 AM, Laurentiu Pancescu wrote:
On 05/01/17 14:32, Karanbir Singh wrote:
if all the metadata is now signed, the corresponding centos-release can carry the gpgcheck enabled.
I was thinking about enabling repo_gpgcheck only for the official CentOS repos - the ones which are signed. I just went through CentOS-*.repo to find which repos are signed in c6 and c7:
- base (c7 only)
- updates
- extras
- centosplus
- CR
- fasttrack
The debuginfo repo, all repos on vault.centos.org and C6 base are not signed right now. Are there any plans to sign C6 base?
I will sign that for 6.9 for sure .. I was holding off on the current 6.8 repo, although theoretically it does not impact anything if I do sign and put on there too (6.8).
The reason I would not do it would be that we have an Everything ISO for C7 and the older ones did not have signed repodata, so I don't want a different repo on ISO than on the mirrors.
But for C6 that is not really applicable, because anaconda splits the ISOs separately and the ISO metadata does not match the repo metadata anyway. So, if it would help to standarize things, I can put a signed metadata file on the c6.8 base repo.
As to vault and debuginfo .. I don't want to revise the vault (that is what was released, and those are not really supported, just published). Debuginfo is also problematic as scripts rebuild metadata as required there and it would be a huge change in process to try to roll in signing there. If we really, really need it then we could but I would rather not do so.
<snip>