[BZ 432811] EPEL key in RHEL
Stephen John Smoogen
smooge at gmail.com
Thu Sep 18 19:01:28 UTC 2008
On Thu, Sep 18, 2008 at 12:54 PM, Mike McLean <mikem at redhat.com> wrote:
> David Juran wrote:
>>
>> Hello.
>>
>> I see a debate is starting to arise on the benefits of including the EPEL
>> key in RHEL. The problem I originally wanted to solve when I proposed this,
>> was to avoid the chicken-egg problem with how to trust the epel-release
>> package that contains the EPEL key if you don't already have the key. But
>> yes, there is the problem of keeping the keys in sync. In my opinion it
>> doesn't make much sense to sign a package with a key that is contained in
>> that very package. So what other approaches are there? Would it be possible
>> to have epel-release signed by the RHEL key? Would EPEL want to? Would Red
>> Hat do it if asked nicely?
>
> This problem is hardly unique to EPEL. Any third-party repo is going to have
> such problems. It is not that difficult for an admin to install
> epel-release. I've done it myself and found it trivial.
>
> Heck, the redhat-release packages provide keys that they themselves are
> signed with. I don't think this is a problem; you have to start somewhere.
>
I do agree we need to start from somewhere. I think we should start
from the redhat key since that is one that is locked on lots of cdrom
media etc for people to trust against. After that, we should have the
EPEL key signed by that one and then the resulting fingerprints
published in appropriate places.
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the epel-devel-list
mailing list