[CentOS-devel] Request for epel-release package in CentOS repo

On 04/26/2014 04:59 PM, Kevin Stange wrote:
> On 04/26/2014 03:54 PM, Ned Slider wrote:
>> So yes, by all means ship repo release packages in extras, but ship them 
>> 'as is', bugs and all from the upstream repo. Personally, I'd much 
>> prefer you didn't even rebuild them - I'd rather see CentOS just 
>> redistribute the upstream built and signed binary packages via the 
>> extras repository.
> They at least need to be re-signed.  Yum is going to be unhappy about
> installing packages with unknown signatures from CentOS Extras.

Well, things installed from CentOS extras need to be signed with our key
(as the key from the other repo will not be available until the release
RPM is installed). 

So we can not leave the RPM signed by the key that it is going to
install, because it will not install unless you manually install their
key first.

That leaves the question if I will "resign" someone else's RPM with the
CentOS key and stick it in extras ... and I think the answer is NO for
that ... so, I will have to build, then sign them.

I don't think people want the CentOS Project to blindly sign things that
other groups, whoever they are, build.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140501/3212186a/attachment-0003.sig>