[BZ 432811] EPEL key in RHEL
Dennis Gilmore
dennis at ausil.us
Thu Sep 18 21:15:24 UTC 2008
On Thursday 18 September 2008 02:43:13 pm Michael DeHaan wrote:
> Stephen John Smoogen wrote:
> > On Thu, Sep 18, 2008 at 1:10 PM, Mike McLean <mikem at redhat.com> wrote:
> >> Stephen John Smoogen wrote:
> >>> I do agree we need to start from somewhere. I think we should start
> >>> from the redhat key since that is one that is locked on lots of cdrom
> >>> media etc for people to trust against. After that, we should have the
> >>> EPEL key signed by that one and then the resulting fingerprints
> >>> published in appropriate places.
> >>
> >> o boy. That sounds like a tall order. We'll have to ask pm and legal
> >> about that one.
> >>
> >> At any rate, I don't think the signing you suggest will make installing
> >> epel-release any easier for anyone.
> >
> > In the end its not about making the install easier. Its more about
> > trust of that installation. If the Fedora Keys are signed by the Red
> > Hat master GPG key... should EPEL be also signed if it is being used
> > for various Red Hat projects (spacewalk-0.3, cobbler, etc).
>
> Slight clarification -- Any products resulting from the above projects
> will likely have their bits for RHEL end up distributed through RHEL
> channels (i.e. RHN). I can't speak to Spacewalk though, but Cobbler
> will still be available in EPEL regardless. I like EPEL, it's great
> and full of some nice software, but Red Hat does not support bits from
> EPEL, so we can't source the bits from there. Spacewalk is probably
> considered a "layered" product, so I'm not sure what the stance on that
> in EPEL is -- Free IPA /is/ in Fedora, however, and we have had the
> previous discussion about other bits on this list. Either way, I'm not
> an authority on the above :)
until such time as spacewalk can work with postgresql or some other open
source database there will be a spacewalk repo but the goal is to be in
Fedora and EPEL.
satellite is a layered product and cant depend on EPEL. spacewalk is not a
layered product and does depend on EPEL.
> That all being said, I'd love to see the packages from EPEL signed in
> some form as there are a /lot/ of users using those same apps straight
> from EPEL, support or no -- they use them and they should be signed.
> This has nothing to do with whether or not they are to be used for Red
> Hat things or otherwise, it's just a good thing to do since people
> depend on those repos.
all EPEL packages are signed. they key is distrubuted in the epel-release
package. I honestly don't think its a good idea to have epel-release signed
by Red Hats signing key.
> As for distributing an epel-release with RHEL, I'm not sure if that
> would happen or not as EPEL doesn't come with support. I probably would
> not expect that to occur, but I think lots of folks do know about EPEL
> if they want to use it.
I dont think epel-release should ever be in RHEL if anything disabled epel
repo configs and the gpg key shipped with redhat-release. but that takes
control out of our hands. so im not for that.
I will get the fingerprint for the epel key posted @
https://admin.fedoraproject.org/fingerprints
Dennis
More information about the epel-devel-list
mailing list