[CentOS-devel] Checking signed repo metadata by default?

Laurentiu Pancescu lpancescu at gmail.com
Fri Jan 6 09:49:06 UTC 2017


On 05/01/17 16:56, Johnny Hughes wrote:
> I will sign that for 6.9 for sure .. I was holding off on the current
> 6.8 repo, although theoretically it does not impact anything if I do
> sign and put on there too (6.8).
>
> The reason I would not do it would be that we have an Everything ISO for
> C7 and the older ones did not have signed repodata, so I don't want a
> different repo on ISO than on the mirrors.

I first tried to produce a patch for rpms/centos-release, but after "git 
clone --branch c7 https://git.centos.org/git/rpms/centos-release.git/" I 
noticed that the repo hasn't yet been updated for 7.3.1611, and 
centos-release-7-2.1511.tar.gz isn't included.  I couldn't find any c6 
branch, either, so I ended up producing patches against the default 
.repo files from our official Vagrant images (attached, tested locally).

Would it be ok in this form?  The only disadvantage I see is being asked 
to trust the official CentOS key several times during the first "yum 
update" (instead of just once).

Thanks,
Laurențiu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: repo_gpgcheck.c6.gz
Type: application/x-gzip
Size: 432 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20170106/45fd0f6f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: repo_gpgcheck.c7.gz
Type: application/x-gzip
Size: 479 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20170106/45fd0f6f/attachment-0001.bin>


More information about the CentOS-devel mailing list