[BZ 432811] EPEL key in RHEL
Stephen John Smoogen
smooge at gmail.com
Thu Sep 18 21:00:51 UTC 2008
On Thu, Sep 18, 2008 at 1:43 PM, Michael DeHaan <mdehaan at redhat.com> wrote:
> Stephen John Smoogen wrote:
>>
>> On Thu, Sep 18, 2008 at 1:10 PM, Mike McLean <mikem at redhat.com> wrote:
>>
>>>
>>> Stephen John Smoogen wrote:
>>>
>>>>
>>>> I do agree we need to start from somewhere. I think we should start
>>>> from the redhat key since that is one that is locked on lots of cdrom
>>>> media etc for people to trust against. After that, we should have the
>>>> EPEL key signed by that one and then the resulting fingerprints
>>>> published in appropriate places.
>>>>
>>>
>>> o boy. That sounds like a tall order. We'll have to ask pm and legal
>>> about
>>> that one.
>>>
>>> At any rate, I don't think the signing you suggest will make installing
>>> epel-release any easier for anyone.
>>>
>>>
>>
>> In the end its not about making the install easier. Its more about
>> trust of that installation. If the Fedora Keys are signed by the Red
>> Hat master GPG key... should EPEL be also signed if it is being used
>> for various Red Hat projects (spacewalk-0.3, cobbler, etc).
>>
>>
>>
>
> Slight clarification -- Any products resulting from the above projects will
> likely have their bits for RHEL end up distributed through RHEL channels
> (i.e. RHN). I can't speak to Spacewalk though, but Cobbler will still be
> available in EPEL regardless. I like EPEL, it's great and full of some
> nice software, but Red Hat does not support bits from EPEL, so we can't
> source the bits from there. Spacewalk is probably considered a "layered"
> product, so I'm not sure what the stance on that in EPEL is -- Free IPA /is/
> in Fedora, however, and we have had the previous discussion about other bits
> on this list. Either way, I'm not an authority on the above :)
>
> That all being said, I'd love to see the packages from EPEL signed in some
> form as there are a /lot/ of users using those same apps straight from EPEL,
> support or no -- they use them and they should be signed. This has nothing
> to do with whether or not they are to be used for Red Hat things or
> otherwise, it's just a good thing to do since people depend on those repos.
>
> As for distributing an epel-release with RHEL, I'm not sure if that would
> happen or not as EPEL doesn't come with support. I probably would not
> expect that to occur, but I think lots of folks do know about EPEL if they
> want to use it.
Actually I think having epel-release in RHEL would be bad for the same
reasons.. I just prefer it over having the epel keys there for no
reason :).
--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the epel-devel-list
mailing list