[BZ 432811] EPEL key in RHEL

David Juran djuran at redhat.com
Fri Sep 19 07:31:25 UTC 2008

On Thu, 2008-09-18 at 13:01 -0600, Stephen John Smoogen wrote:
> On Thu, Sep 18, 2008 at 12:54 PM, Mike McLean <mikem at redhat.com> wrote:

> >
> > This problem is hardly unique to EPEL. Any third-party repo is going to have
> > such problems. It is not that difficult for an admin to install
> > epel-release. I've done it myself and found it trivial.

But EPEL is not just "any" 3:rd party repo. EPEL is brought to you by
Fedora and Fedora has very close ties to Red Hat. So IMHO, it's a bad
thing to take advantage of those.

> > Heck, the redhat-release packages provide keys that they themselves are
> > signed with. I don't think this is a problem; you have to start somewhere.
> >
> I do agree we need to start from somewhere. I think we should start
> from the redhat key since that is one that is locked on lots of cdrom
> media etc for people to trust against. After that, we should have the
> EPEL key signed by that one and then the resulting fingerprints
> published in appropriate places.

Chances are that someone who wants to install epel-release already is
trusting the RHEL key. 

David Juran
Sr. Consultant
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/epel-devel-list/attachments/20080919/9abd7e65/attachment.sig>

More information about the epel-devel-list mailing list