Am 08.09.20 um 17:12 schrieb Neal Gompa: > On Fri, Sep 4, 2020 at 1:10 PM Brian Stinson <brian at bstinson.com> wrote: >> >> While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites. >> > > This is a very bizarre stance to take. Enabling repo_gpgcheck for > the CentOS provided repos in their repo files should not harm anything > else, and only further ensures the integrity of the repository > content. This was exactly my motivation for asking. After 5 years of "maturing" it could be the default now, thought. https://lists.centos.org/pipermail/centos/2015-May/152065.html > Is there a compelling reason to *not* change the defaults? Because > from my perspective, I don't see any. But I am not sure respectively I do not have a test scenario where this could lead to a problem. Especially in the initial setup stage where dnf/yum asks to check this but do not have the key (composer, kickstart?) - or will this be ignored by dnf/yum for those scenarios? I remember asking somewhere, if the integrity in generall gets checked (anaconda or kickstart list) but got no feedback. JFI: https://bugzilla.redhat.com/show_bug.cgi?id=998 Once the system is installed it would ask as it is done for the normal rpm checks (gpgcheck=1). And for the suggestion of Brian: The problem that I see with "local" configurations of repo_gpgcheck is that all files are (correctly) packaged with %config(noreplace) and that would lead to more management friction ... normaly the presets are save and do not need to be altered. Or does dnf supports drop-in configs that get merged when the repo definitions are read? :-) -- Leon