[CentOS-devel] repo_gpgcheck for centos repos?

Tue Sep 8 18:38:49 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 08.09.20 um 17:12 schrieb Neal Gompa:
> On Fri, Sep 4, 2020 at 1:10 PM Brian Stinson <brian at bstinson.com> wrote:
>>
>> While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites.
>>
> 
> This is a very bizarre stance to take. Enabling repo_gpgcheck for
> the CentOS provided repos in their repo files should not harm anything
> else, and only further ensures the integrity of the repository
> content.


This was exactly my motivation for asking.

After 5 years of "maturing" it could be the default now, thought.

https://lists.centos.org/pipermail/centos/2015-May/152065.html




> Is there a compelling reason to *not* change the defaults? Because
> from my perspective, I don't see any.


But I am not sure respectively I do not have a test scenario where
this could lead to a problem. Especially in the initial setup stage
where dnf/yum asks to check this but do not have the key (composer,
kickstart?) - or will this be ignored by dnf/yum for those scenarios?
I remember asking somewhere, if the integrity in generall gets checked
(anaconda or kickstart list) but got no feedback.

JFI: https://bugzilla.redhat.com/show_bug.cgi?id=998


Once the system is installed it would ask as it is done for the normal
rpm checks (gpgcheck=1).


And for the suggestion of Brian: The problem that I see with "local"
configurations of repo_gpgcheck is that all files are (correctly)
packaged with %config(noreplace) and that would lead to more
management friction ... normaly the presets are save and do not
need to be altered. Or does dnf supports drop-in configs that get
merged when the repo definitions are read? :-)


--
Leon