On Tue, Sep 8, 2020, at 11:12 AM, Neal Gompa wrote:
On Fri, Sep 4, 2020 at 1:10 PM Brian Stinson brian@bstinson.com wrote:
While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites.
This is a very bizarre stance to take. Enabling repo_gpgcheck for the CentOS provided repos in their repo files should not harm anything else, and only further ensures the integrity of the repository content.
Is there a compelling reason to *not* change the defaults? Because from my perspective, I don't see any.
The only reason might be to prevent breaking folks who regenerate the repomd locally. Not sure whether pulp preserves the original md or regenerates its own. (I always use exactly the upstream repomd for precisely this reason of avoiding breaking repo_gpgcheck, which is often on "security hardening" checklists.)
V/r, James Cassell
-- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel