On 26/02/16 15:42, Johnny Hughes wrote: > CentOS is a community project and we have lots of external, NON-CentOS > mirrors for several items. While that is NOT currently happening for > cloud.centos.org, it very well could in the future. At that point, we > lose control over the setup of the machines, etc. That is the whole > purpose of signing RPMs and signing the shasum files .. so you can > verify them regardless of the mirror. so, maybe a script or some details on how one can get the keys from www.centos.org/keys ? and have the script itself hosted behind https on the keys page ? w.r.t the images/ i dont think we should add the non versioned files to the sha sum's - since that will constantly be changing, atleast once a month. It might be better to have a README file in that dir that shows up when someone looks at the dir listing, and have that explain the setup ? -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc