[CentOS] rpm libuser-devel is not signed

John Hodrien J.H.Hodrien at leeds.ac.uk
Thu Apr 21 11:56:27 UTC 2011


On Thu, 21 Apr 2011, Karanbir Singh wrote:

> yes, a package was released, unsigned, and has been fixed. ( and 4 more
> tests added to the release process to make sure that this does not
> happen again; or atleast reduce the chance of this going out ).

And if people stick with the sane practice of only trusting signed packages,
this is quickly caught and the only cost is a short delay while updated
packages are pushed out.

If people think that disabling gpg checking is a good idea, you risk this
finding its way into their yum.conf.  That's exactly what you've seen amongst
some spacewalk users.

jh



More information about the CentOS mailing list