[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [BZ 432811] EPEL key in RHEL



David Juran wrote:
Hello.

I see a debate is starting to arise on the benefits of including the EPEL key in RHEL. The problem I originally wanted to solve when I proposed this, was to avoid the chicken-egg problem with how to trust the epel-release package that contains the EPEL key if you don't already have the key. But yes, there is the problem of keeping the keys in sync. In my opinion it doesn't make much sense to sign a package with a key that is contained in that very package. So what other approaches are there? Would it be possible to have epel-release signed by the RHEL key? Would EPEL want to? Would Red Hat do it if asked nicely?

This problem is hardly unique to EPEL. Any third-party repo is going to have such problems. It is not that difficult for an admin to install epel-release. I've done it myself and found it trivial.

Heck, the redhat-release packages provide keys that they themselves are signed with. I don't think this is a problem; you have to start somewhere.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]