[BZ 432811] EPEL key in RHEL
djuran at redhat.com
Fri Sep 19 07:31:25 UTC 2008
On Thu, 2008-09-18 at 13:01 -0600, Stephen John Smoogen wrote:
> On Thu, Sep 18, 2008 at 12:54 PM, Mike McLean <mikem at redhat.com> wrote:
> > This problem is hardly unique to EPEL. Any third-party repo is going to have
> > such problems. It is not that difficult for an admin to install
> > epel-release. I've done it myself and found it trivial.
But EPEL is not just "any" 3:rd party repo. EPEL is brought to you by
Fedora and Fedora has very close ties to Red Hat. So IMHO, it's a bad
thing to take advantage of those.
> > Heck, the redhat-release packages provide keys that they themselves are
> > signed with. I don't think this is a problem; you have to start somewhere.
> I do agree we need to start from somewhere. I think we should start
> from the redhat key since that is one that is locked on lots of cdrom
> media etc for people to trust against. After that, we should have the
> EPEL key signed by that one and then the resulting fingerprints
> published in appropriate places.
Chances are that someone who wants to install epel-release already is
trusting the RHEL key.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 197 bytes
Desc: This is a digitally signed message part
More information about the epel-devel-list