[CentOS-devel] Checking signed repo metadata by default?
Johnny Hughes
johnny at centos.org
Thu Jan 12 15:16:57 UTC 2017
On 01/06/2017 03:49 AM, Laurentiu Pancescu wrote:
> On 05/01/17 16:56, Johnny Hughes wrote:
>> I will sign that for 6.9 for sure .. I was holding off on the current
>> 6.8 repo, although theoretically it does not impact anything if I do
>> sign and put on there too (6.8).
>>
>> The reason I would not do it would be that we have an Everything ISO for
>> C7 and the older ones did not have signed repodata, so I don't want a
>> different repo on ISO than on the mirrors.
>
> I first tried to produce a patch for rpms/centos-release, but after "git
> clone --branch c7 https://git.centos.org/git/rpms/centos-release.git/" I
> noticed that the repo hasn't yet been updated for 7.3.1611, and
> centos-release-7-2.1511.tar.gz isn't included. I couldn't find any c6
> branch, either, so I ended up producing patches against the default
> .repo files from our official Vagrant images (attached, tested locally).
>
> Would it be ok in this form? The only disadvantage I see is being asked
> to trust the official CentOS key several times during the first "yum
> update" (instead of just once).
Right, the only real issue is more trust requests for the same key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20170112/d93cd59d/attachment.sig>
More information about the CentOS-devel
mailing list