On 9/4/20 12:09 PM, Brian Stinson wrote: > > > On Fri, Sep 4, 2020, at 10:36, Leon Fauster via CentOS-devel wrote: >> Am 04.09.20 um 16:08 schrieb Johnny Hughes: >>> On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote: >>>> Hi, >>>> >>>> I wonder if it would be not beneficial enabling repo_gpgcheck for all >>>> centos repos? A short cross check shows that also SIG repos have >>>> repomd.xml signed. mirror.centos.org has no TLS enabled and >>>> repo_gpgcheck would add an additional security layer per default? >>>> This could be started for EL8? Or are there any barries? >>>> >>>> -- >>> >>> It is on almost all repos .. >>> >>> C6, c7, and c8 >>> >>> The reason mirror.centos.org is not https is many machines are donated >>> .. and could be taken away 9reclaimed) by the donors, who have physical >>> control of the machines. We don't want 'private' keys on those donated >>> machines and the reason we created repo_gpgcheck repos. >> >> Sure, this applies to TLS. Therefore I was suggesting to enable >> repo_gpgcheck for all CentOS repos in the _configuration files_. >> The default is false or are they enabled elsewhere? >> >> # grep repo_gpgcheck /etc/yum.repos.d/C* >> # echo $? >> 1 >> >> -- >> Leon >> >> >> >> >> >> _______________________________________________ >> CentOS-devel mailing list >> CentOS-devel at centos.org >> https://lists.centos.org/mailman/listinfo/centos-devel > > While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites. > > —Brian Agreed. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200908/3560d426/attachment-0006.sig>