On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote: > Hi, > > I wonder if it would be not beneficial enabling repo_gpgcheck for all > centos repos? A short cross check shows that also SIG repos have > repomd.xml signed. mirror.centos.org has no TLS enabled and > repo_gpgcheck would add an additional security layer per default? > This could be started for EL8? Or are there any barries? > > -- It is on almost all repos .. C6, c7, and c8 The reason mirror.centos.org is not https is many machines are donated .. and could be taken away 9reclaimed) by the donors, who have physical control of the machines. We don't want 'private' keys on those donated machines and the reason we created repo_gpgcheck repos. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200904/dd9cca0e/attachment-0006.sig>