[CentOS-devel] repo_gpgcheck for centos repos?

On Fri, Sep 4, 2020, at 10:36, Leon Fauster via CentOS-devel wrote:
> Am 04.09.20 um 16:08 schrieb Johnny Hughes:
> > On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote:
> >> Hi,
> >>
> >> I wonder if it would be not beneficial enabling repo_gpgcheck for all
> >> centos repos?  A short cross check shows that also SIG repos have
> >> repomd.xml signed. mirror.centos.org has no TLS enabled and
> >> repo_gpgcheck would add an additional security layer per default?
> >> This could be started for EL8? Or are there any barries?
> >>
> >> -- 
> > 
> > It is on almost all repos ..
> > 
> > C6, c7, and c8
> > 
> > The reason mirror.centos.org is not https is many machines are donated
> > .. and could be taken away 9reclaimed) by the donors, who have physical
> > control of the machines.  We don't want 'private' keys on those donated
> > machines and the reason we created repo_gpgcheck repos.
> 
> Sure, this applies to TLS. Therefore I was suggesting to enable
> repo_gpgcheck for all CentOS repos in the _configuration files_.
> The default is false or are they enabled elsewhere?
> 
> # grep repo_gpgcheck /etc/yum.repos.d/C*
> # echo $?
> 1
> 
> --
> Leon
> 
> 
> 
> 
> 
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> https://lists.centos.org/mailman/listinfo/centos-devel

While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites. 

—Brian