[CentOS-devel] Checking signed repo metadata by default?
Karanbir Singh
mail-lists at karan.org
Thu Jan 5 13:32:24 UTC 2017
On 05/01/17 09:22, Laurentiu Pancescu wrote:
> Hi there,
>
> I stumbled upon an older post by Johnny Hughes about gpg-checking the
> repository metadata. [1] In the mean time, we seem to have signed
> metadata not only for "updates", but also for "base", "extras" and
> "centosplus" (just the "base" signature for CentOS Linux 6 is missing).
>
> What are the reasons for not enabling the repo gpg check in our default
> installation? Would it be a bad idea to do that in our Vagrant images?
if all the metadata is now signed, the corresponding centos-release can
carry the gpgcheck enabled.
as a distro flag - this is a huge change. We just need to make sure (
quantify ? ) that we dont break existing installs. In most cases, this
is just a case of orchestrating it right ( ie, maybe centos-release with
the enabled flag needs to the staged out, in a way that only people with
all the repos signed are going to see this new file, and do it as a
second cycle ).
Regards
--
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc
More information about the CentOS-devel
mailing list