[BZ 432811] EPEL key in RHEL

Thu Sep 18 21:15:24 UTC 2008

On Thursday 18 September 2008 02:43:13 pm Michael DeHaan wrote:
> Stephen John Smoogen wrote:
> > On Thu, Sep 18, 2008 at 1:10 PM, Mike McLean <mikem at redhat.com> wrote:
> >> Stephen John Smoogen wrote:
> >>> I do agree we need to start from somewhere. I think we should start
> >>> from the redhat key since that is one that is locked on lots of cdrom
> >>> media etc for people to trust against. After that, we should have the
> >>> EPEL key signed by that one and then the resulting fingerprints
> >>> published in appropriate places.
> >>
> >> o boy. That sounds like a tall order. We'll have to ask pm and legal
> >> about that one.
> >>
> >> At any rate, I don't think the signing you suggest will make installing
> >> epel-release any easier for anyone.
> >
> > In the end its not about making the install easier. Its more about
> > trust of that installation. If the Fedora Keys are signed by the Red
> > Hat master GPG key... should EPEL be also signed if it is being used
> > for various Red Hat projects (spacewalk-0.3, cobbler, etc).
>
> Slight clarification -- Any products resulting from the above projects
> will likely have their bits for RHEL end up distributed through RHEL
> channels (i.e. RHN).   I can't speak to Spacewalk though, but Cobbler
> will still be available in EPEL regardless.   I like EPEL, it's great
> and full of some nice software, but Red Hat does not support bits from
> EPEL, so we can't source the bits from there.    Spacewalk is probably
> considered a "layered" product, so I'm not sure what the stance on that
> in EPEL is -- Free IPA /is/ in Fedora, however, and we have had the
> previous discussion about other bits on this list.   Either way, I'm not
> an authority on the above :)
until such time as spacewalk can work with postgresql or some other open 
source database there will be a spacewalk repo  but the goal is to be in 
Fedora and EPEL.

satellite is a layered product and cant depend on EPEL. spacewalk is not a 
layered product and does depend on EPEL.

> That all being said, I'd love to see the packages from EPEL signed in
> some form as there are a /lot/ of users using those same apps straight
> from EPEL, support or no -- they use them and they should be signed.
> This has nothing to do with whether or not they are to be used for Red
> Hat things or otherwise, it's just a good thing to do since people
> depend on those repos.
all EPEL packages are signed.  they key is distrubuted in the epel-release 
package.   I honestly don't think its a good idea to have epel-release signed 
by Red Hats signing key.

> As for distributing an epel-release with RHEL, I'm not sure if that
> would happen or not as EPEL doesn't come with support.  I probably would
> not expect that to occur, but I think lots of folks do know about EPEL
> if they want to use it.
I dont think epel-release should ever  be in RHEL  if anything disabled epel 
repo configs and the gpg key shipped with redhat-release.  but that takes 
control out of our hands.  so im not for that.

I will get the fingerprint for the epel key posted @ 
https://admin.fedoraproject.org/fingerprints

Dennis