[CentOS-devel] repo_gpgcheck for centos repos?

Kevin Fenzi

kevin at scrye.com
Tue Sep 8 20:38:36 UTC 2020


On Tue, Sep 08, 2020 at 02:51:19PM -0400, James Cassell wrote:
> 
> On Tue, Sep 8, 2020, at 11:12 AM, Neal Gompa wrote:
> > On Fri, Sep 4, 2020 at 1:10 PM Brian Stinson <brian at bstinson.com> wrote:
> > >
> > > While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites.
> > >
> > 
> > This is a very bizarre stance to take. Enabling repo_gpgcheck for
> > the CentOS provided repos in their repo files should not harm anything
> > else, and only further ensures the integrity of the repository
> > content.
> > 
> > Is there a compelling reason to *not* change the defaults? Because
> > from my perspective, I don't see any.
> > 
> 
> The only reason might be to prevent breaking folks who regenerate the repomd locally. Not sure whether pulp preserves the original md or regenerates its own. (I always use exactly the upstream repomd for precisely this reason of avoiding breaking repo_gpgcheck, which is often on "security hardening" checklists.)

well, no idea if the yum/dnf in CentOS/RHEL have the same issues as the Fedora
versions, but there are a LOT of corner cases around signed repos. 

https://bugzilla.redhat.com/show_bug.cgi?id=1247644
"dnf --cacheonly wants to import GPG key when using repo_gpgcheck"

Because dnf stores repo gpg keys in it's cache, every user has to import
it/might be confused when it's not there. 

https://bugzilla.redhat.com/show_bug.cgi?id=1768206
DNF prompts for GPG key import for "repo_gpgcheck=1"-repositories despite "rpm --import"-ing the keys first

This one causes dnf to prompt for the key when people don't expect it
to. 

and more...

There's just a lot of corner cases around this, so I would be carefull
about enabling it accross the board. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200908/85a0b23a/attachment-0002.sig>


More information about the CentOS-devel mailing list