Am 04.09.20 um 16:08 schrieb Johnny Hughes: > On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote: >> Hi, >> >> I wonder if it would be not beneficial enabling repo_gpgcheck for all >> centos repos? A short cross check shows that also SIG repos have >> repomd.xml signed. mirror.centos.org has no TLS enabled and >> repo_gpgcheck would add an additional security layer per default? >> This could be started for EL8? Or are there any barries? >> >> -- > > It is on almost all repos .. > > C6, c7, and c8 > > The reason mirror.centos.org is not https is many machines are donated > .. and could be taken away 9reclaimed) by the donors, who have physical > control of the machines. We don't want 'private' keys on those donated > machines and the reason we created repo_gpgcheck repos. Sure, this applies to TLS. Therefore I was suggesting to enable repo_gpgcheck for all CentOS repos in the _configuration files_. The default is false or are they enabled elsewhere? # grep repo_gpgcheck /etc/yum.repos.d/C* # echo $? 1 -- Leon