[BZ 432811] EPEL key in RHEL

Mike McLean mikem at redhat.com
Thu Sep 18 18:54:12 UTC 2008

David Juran wrote:
> Hello.
> I see a debate is starting to arise on the benefits of including the EPEL key in RHEL. The problem I originally wanted to solve when I proposed this, was to avoid the chicken-egg problem with how to trust the epel-release package that contains the EPEL key if you don't already have the key. But yes, there is the problem of keeping the keys in sync. 
>   In my opinion it doesn't make much sense to sign a package with a key that is contained in that very package. So what other approaches are there? Would it be possible to have epel-release signed by the RHEL key? Would EPEL want to? Would Red Hat do it if asked nicely? 

This problem is hardly unique to EPEL. Any third-party repo is going to 
have such problems. It is not that difficult for an admin to install 
epel-release. I've done it myself and found it trivial.

Heck, the redhat-release packages provide keys that they themselves are 
signed with. I don't think this is a problem; you have to start somewhere.

More information about the epel-devel-list mailing list