On Fri, Sep 4, 2020, at 10:36, Leon Fauster via CentOS-devel wrote: > Am 04.09.20 um 16:08 schrieb Johnny Hughes: > > On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote: > >> Hi, > >> > >> I wonder if it would be not beneficial enabling repo_gpgcheck for all > >> centos repos? A short cross check shows that also SIG repos have > >> repomd.xml signed. mirror.centos.org has no TLS enabled and > >> repo_gpgcheck would add an additional security layer per default? > >> This could be started for EL8? Or are there any barries? > >> > >> -- > > > > It is on almost all repos .. > > > > C6, c7, and c8 > > > > The reason mirror.centos.org is not https is many machines are donated > > .. and could be taken away 9reclaimed) by the donors, who have physical > > control of the machines. We don't want 'private' keys on those donated > > machines and the reason we created repo_gpgcheck repos. > > Sure, this applies to TLS. Therefore I was suggesting to enable > repo_gpgcheck for all CentOS repos in the _configuration files_. > The default is false or are they enabled elsewhere? > > # grep repo_gpgcheck /etc/yum.repos.d/C* > # echo $? > 1 > > -- > Leon > > > > > > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > https://lists.centos.org/mailman/listinfo/centos-devel While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites. —Brian