On Tue, Sep 08, 2020 at 02:51:19PM -0400, James Cassell wrote: > > On Tue, Sep 8, 2020, at 11:12 AM, Neal Gompa wrote: > > On Fri, Sep 4, 2020 at 1:10 PM Brian Stinson <brian at bstinson.com> wrote: > > > > > > While we want signed repodata to be *available* to folks who want to enable it, We don’t want it necessarily to be the default for all users. We want it to be a decision that folks make for their own sites. > > > > > > > This is a very bizarre stance to take. Enabling repo_gpgcheck for > > the CentOS provided repos in their repo files should not harm anything > > else, and only further ensures the integrity of the repository > > content. > > > > Is there a compelling reason to *not* change the defaults? Because > > from my perspective, I don't see any. > > > > The only reason might be to prevent breaking folks who regenerate the repomd locally. Not sure whether pulp preserves the original md or regenerates its own. (I always use exactly the upstream repomd for precisely this reason of avoiding breaking repo_gpgcheck, which is often on "security hardening" checklists.) well, no idea if the yum/dnf in CentOS/RHEL have the same issues as the Fedora versions, but there are a LOT of corner cases around signed repos. https://bugzilla.redhat.com/show_bug.cgi?id=1247644 "dnf --cacheonly wants to import GPG key when using repo_gpgcheck" Because dnf stores repo gpg keys in it's cache, every user has to import it/might be confused when it's not there. https://bugzilla.redhat.com/show_bug.cgi?id=1768206 DNF prompts for GPG key import for "repo_gpgcheck=1"-repositories despite "rpm --import"-ing the keys first This one causes dnf to prompt for the key when people don't expect it to. and more... There's just a lot of corner cases around this, so I would be carefull about enabling it accross the board. kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20200908/85a0b23a/attachment-0006.sig>