[BZ 432811] EPEL key in RHEL
Mike McLean
mikem at redhat.com
Thu Sep 18 18:54:12 UTC 2008
David Juran wrote:
> Hello.
>
> I see a debate is starting to arise on the benefits of including the EPEL key in RHEL. The problem I originally wanted to solve when I proposed this, was to avoid the chicken-egg problem with how to trust the epel-release package that contains the EPEL key if you don't already have the key. But yes, there is the problem of keeping the keys in sync.
> In my opinion it doesn't make much sense to sign a package with a key that is contained in that very package. So what other approaches are there? Would it be possible to have epel-release signed by the RHEL key? Would EPEL want to? Would Red Hat do it if asked nicely?
This problem is hardly unique to EPEL. Any third-party repo is going to
have such problems. It is not that difficult for an admin to install
epel-release. I've done it myself and found it trivial.
Heck, the redhat-release packages provide keys that they themselves are
signed with. I don't think this is a problem; you have to start somewhere.
More information about the epel-devel-list
mailing list