[BZ 432811] EPEL key in RHEL

Stephen John Smoogen smooge at gmail.com
Thu Sep 18 21:27:46 UTC 2008


On Thu, Sep 18, 2008 at 3:15 PM, Dennis Gilmore <dennis at ausil.us> wrote:
> On Thursday 18 September 2008 02:43:13 pm Michael DeHaan wrote:
>> Stephen John Smoogen wrote:
>> > On Thu, Sep 18, 2008 at 1:10 PM, Mike McLean <mikem at redhat.com> wrote:
>> >> Stephen John Smoogen wrote:
>> >>> I do agree we need to start from somewhere. I think we should start
>> >>> from the redhat key since that is one that is locked on lots of cdrom
>> >>> media etc for people to trust against. After that, we should have the
>> >>> EPEL key signed by that one and then the resulting fingerprints
>> >>> published in appropriate places.
>> >>
>> >> o boy. That sounds like a tall order. We'll have to ask pm and legal
>> >> about that one.
>> >>
>> >> At any rate, I don't think the signing you suggest will make installing
>> >> epel-release any easier for anyone.
>> >
>> > In the end its not about making the install easier. Its more about
>> > trust of that installation. If the Fedora Keys are signed by the Red
>> > Hat master GPG key... should EPEL be also signed if it is being used
>> > for various Red Hat projects (spacewalk-0.3, cobbler, etc).
>>
>> Slight clarification -- Any products resulting from the above projects
>> will likely have their bits for RHEL end up distributed through RHEL
>> channels (i.e. RHN).   I can't speak to Spacewalk though, but Cobbler
>> will still be available in EPEL regardless.   I like EPEL, it's great
>> and full of some nice software, but Red Hat does not support bits from
>> EPEL, so we can't source the bits from there.    Spacewalk is probably
>> considered a "layered" product, so I'm not sure what the stance on that
>> in EPEL is -- Free IPA /is/ in Fedora, however, and we have had the
>> previous discussion about other bits on this list.   Either way, I'm not
>> an authority on the above :)
> until such time as spacewalk can work with postgresql or some other open
> source database there will be a spacewalk repo  but the goal is to be in
> Fedora and EPEL.
>
> satellite is a layered product and cant depend on EPEL. spacewalk is not a
> layered product and does depend on EPEL.
>




>> That all being said, I'd love to see the packages from EPEL signed in
>> some form as there are a /lot/ of users using those same apps straight
>> from EPEL, support or no -- they use them and they should be signed.
>> This has nothing to do with whether or not they are to be used for Red
>> Hat things or otherwise, it's just a good thing to do since people
>> depend on those repos.
> all EPEL packages are signed.  they key is distrubuted in the epel-release
> package.   I honestly don't think its a good idea to have epel-release signed
> by Red Hats signing key.
>

Ok.. I am doing a horrible bit of explaining what I want because words
no workie today.

Here is the Fedora Key:
http://pgp.mit.edu:11371/pks/lookup?search=0x4F2A6FD2&op=vindex

Here is the EPEL Key:

http://pgp.mit.edu:11371/pks/lookup?search=0x217521F6&op=vindex

The Fedora Key has a lot of trust (now a lot of those emails probably
don't exist any more and probably should be removed...)  it still has
a lot of people you could find out if the key is actually valid. EPEL
has none. The Fedora project doesn't trust it, The Red Hat people
don't trust it. Heck none of the people who work on the project look
to trust it either including myself.

The key would fail anyone following
http://orcorc.blogspot.com/2008/09/adding-signing-key-to-rpm.html to
see if the key is 'valid'. All I want is to find out how we can pass
that test :).

Sorry for my lack of good english in explaining what I am wanting.







-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"




More information about the epel-devel-list mailing list