On 04/26/2014 04:59 PM, Kevin Stange wrote: > On 04/26/2014 03:54 PM, Ned Slider wrote: >> So yes, by all means ship repo release packages in extras, but ship them >> 'as is', bugs and all from the upstream repo. Personally, I'd much >> prefer you didn't even rebuild them - I'd rather see CentOS just >> redistribute the upstream built and signed binary packages via the >> extras repository. > They at least need to be re-signed. Yum is going to be unhappy about > installing packages with unknown signatures from CentOS Extras. Well, things installed from CentOS extras need to be signed with our key (as the key from the other repo will not be available until the release RPM is installed). So we can not leave the RPM signed by the key that it is going to install, because it will not install unless you manually install their key first. That leaves the question if I will "resign" someone else's RPM with the CentOS key and stick it in extras ... and I think the answer is NO for that ... so, I will have to build, then sign them. I don't think people want the CentOS Project to blindly sign things that other groups, whoever they are, build. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140501/3212186a/attachment-0007.sig>