[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [BZ 432811] EPEL key in RHEL

Stephen John Smoogen wrote:
On Thu, Sep 18, 2008 at 1:10 PM, Mike McLean <mikem redhat com> wrote:
Stephen John Smoogen wrote:
I do agree we need to start from somewhere. I think we should start
from the redhat key since that is one that is locked on lots of cdrom
media etc for people to trust against. After that, we should have the
EPEL key signed by that one and then the resulting fingerprints
published in appropriate places.
o boy. That sounds like a tall order. We'll have to ask pm and legal about
that one.

At any rate, I don't think the signing you suggest will make installing
epel-release any easier for anyone.

In the end its not about making the install easier. Its more about
trust of that installation. If the Fedora Keys are signed by the Red
Hat master GPG key... should EPEL be also signed if it is being used
for various Red Hat projects (spacewalk-0.3, cobbler, etc).

Slight clarification -- Any products resulting from the above projects will likely have their bits for RHEL end up distributed through RHEL channels (i.e. RHN). I can't speak to Spacewalk though, but Cobbler will still be available in EPEL regardless. I like EPEL, it's great and full of some nice software, but Red Hat does not support bits from EPEL, so we can't source the bits from there. Spacewalk is probably considered a "layered" product, so I'm not sure what the stance on that in EPEL is -- Free IPA /is/ in Fedora, however, and we have had the previous discussion about other bits on this list. Either way, I'm not an authority on the above :)

That all being said, I'd love to see the packages from EPEL signed in some form as there are a /lot/ of users using those same apps straight from EPEL, support or no -- they use them and they should be signed. This has nothing to do with whether or not they are to be used for Red Hat things or otherwise, it's just a good thing to do since people depend on those repos.

As for distributing an epel-release with RHEL, I'm not sure if that would happen or not as EPEL doesn't come with support. I probably would not expect that to occur, but I think lots of folks do know about EPEL if they want to use it.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]