[CentOS-devel] Checking signed repo metadata by default?

[Johnny Hughes]

On 01/05/2017 09:20 AM, Laurentiu Pancescu wrote:
> On 05/01/17 14:32, Karanbir Singh wrote:
>>
>> if all the metadata is now signed, the corresponding centos-release can
>> carry the gpgcheck enabled.
> 
> I was thinking about enabling repo_gpgcheck only for the official CentOS
> repos - the ones which are signed.  I just went through CentOS-*.repo to
> find which repos are signed in c6 and c7:
> 
> - base (c7 only)
> - updates
> - extras
> - centosplus
> - CR
> - fasttrack
> 
> The debuginfo repo, all repos on vault.centos.org and C6 base are not
> signed right now.  Are there any plans to sign C6 base?

I will sign that for 6.9 for sure .. I was holding off on the current
6.8 repo, although theoretically it does not impact anything if I do
sign and put on there too (6.8).

The reason I would not do it would be that we have an Everything ISO for
C7 and the older ones did not have signed repodata, so I don't want a
different repo on ISO than on the mirrors.

But for C6 that is not really applicable, because anaconda splits the
ISOs separately and the ISO metadata does not match the repo metadata
anyway. So, if it would help to standarize things, I can put a signed
metadata file on the c6.8 base repo.

As to vault and debuginfo .. I don't want to revise the vault (that is
what was released, and those are not really supported, just published).
Debuginfo is also problematic as scripts rebuild metadata as required
there and it  would be a huge change in process to try to roll in
signing there.  If we really, really need it then we could but I would
rather not do so.

<snip>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20170105/a475e120/attachment.sig>