[CentOS-devel] Checking signed repo metadata by default?
Laurentiu Pancescu
lpancescu at gmail.com
Thu Jan 5 15:20:40 UTC 2017
On 05/01/17 14:32, Karanbir Singh wrote:
>
> if all the metadata is now signed, the corresponding centos-release can
> carry the gpgcheck enabled.
I was thinking about enabling repo_gpgcheck only for the official CentOS
repos - the ones which are signed. I just went through CentOS-*.repo to
find which repos are signed in c6 and c7:
- base (c7 only)
- updates
- extras
- centosplus
- CR
- fasttrack
The debuginfo repo, all repos on vault.centos.org and C6 base are not
signed right now. Are there any plans to sign C6 base?
> as a distro flag - this is a huge change. We just need to make sure (
> quantify ? ) that we dont break existing installs. In most cases, this
> is just a case of orchestrating it right ( ie, maybe centos-release with
> the enabled flag needs to the staged out, in a way that only people with
> all the repos signed are going to see this new file, and do it as a
> second cycle ).
How would one generate a patch to enable checking just the relevant
repos? I cloned the c7 branch of rpms/centos-release.git, but, except
for CentOS-CR.repo, which has its own patch creating it from scratch,
the other ones appear to be simply copied from %{buildroot}. What would
be the best way: to have this change in the files being copied, or an
additional patch, like for CR? In any case, we should be careful not to
enable this for C5, since the .spec file seems to be used for all
releases. Or maybe I'm looking at the wrong sources?
Thanks,
Laurențiu
More information about the CentOS-devel
mailing list