[CentOS-devel] repo_gpgcheck for centos repos?

Tue Sep 8 15:01:14 UTC 2020
Johnny Hughes <johnny at centos.org>

On 9/4/20 12:09 PM, Brian Stinson wrote:
> 
> 
> On Fri, Sep 4, 2020, at 10:36, Leon Fauster via CentOS-devel wrote:
>> Am 04.09.20 um 16:08 schrieb Johnny Hughes:
>>> On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote:
>>>> Hi,
>>>>
>>>> I wonder if it would be not beneficial enabling repo_gpgcheck for all
>>>> centos repos?  A short cross check shows that also SIG repos have
>>>> repomd.xml signed. mirror.centos.org has no TLS enabled and
>>>> repo_gpgcheck would add an additional security layer per default?
>>>> This could be started for EL8? Or are there any barries?
>>>>
>>>> -- 
>>>
>>> It is on almost all repos ..
>>>
>>> C6, c7, and c8
>>>
>>> The reason mirror.centos.org is not https is many machines are donated
>>> .. and could be taken away 9reclaimed) by the donors, who have physical
>>> control of the machines.  We don't want 'private' keys on those donated
>>> machines and the reason we created repo_gpgcheck repos.
>>
>> Sure, this applies to TLS. Therefore I was suggesting to enable
>> repo_gpgcheck for all CentOS repos in the _configuration files_.
>> The default is false or are they enabled elsewhere?
>>
>> # grep repo_gpgcheck /etc/yum.repos.d/C*
>> # echo $?
>> 1
>>
>> --
>> Leon
>>
>>
>>
>>
>>
>> _______________________________________________
>> CentOS-devel mailing list
>> CentOS-devel at centos.org
>> https://lists.centos.org/mailman/listinfo/centos-devel
> 
> While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites. 
> 
> —Brian

Agreed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200908/3560d426/attachment-0006.sig>