[CentOS-devel] repo_gpgcheck for centos repos?

Fri Sep 4 14:08:55 UTC 2020
Johnny Hughes <johnny at centos.org>

On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote:
> Hi,
> 
> I wonder if it would be not beneficial enabling repo_gpgcheck for all
> centos repos?  A short cross check shows that also SIG repos have
> repomd.xml signed. mirror.centos.org has no TLS enabled and
> repo_gpgcheck would add an additional security layer per default?
> This could be started for EL8? Or are there any barries?
> 
> -- 

It is on almost all repos ..

C6, c7, and c8

The reason mirror.centos.org is not https is many machines are donated
.. and could be taken away 9reclaimed) by the donors, who have physical
control of the machines.  We don't want 'private' keys on those donated
machines and the reason we created repo_gpgcheck repos.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200904/dd9cca0e/attachment-0006.sig>