On Thursday 18 September 2008 02:43:13 pm Michael DeHaan wrote: > Stephen John Smoogen wrote: > > On Thu, Sep 18, 2008 at 1:10 PM, Mike McLean <[EMAIL PROTECTED]> wrote: > >> Stephen John Smoogen wrote: > >>> I do agree we need to start from somewhere. I think we should start > >>> from the redhat key since that is one that is locked on lots of cdrom > >>> media etc for people to trust against. After that, we should have the > >>> EPEL key signed by that one and then the resulting fingerprints > >>> published in appropriate places. > >> > >> o boy. That sounds like a tall order. We'll have to ask pm and legal > >> about that one. > >> > >> At any rate, I don't think the signing you suggest will make installing > >> epel-release any easier for anyone. > > > > In the end its not about making the install easier. Its more about > > trust of that installation. If the Fedora Keys are signed by the Red > > Hat master GPG key... should EPEL be also signed if it is being used > > for various Red Hat projects (spacewalk-0.3, cobbler, etc). > > Slight clarification -- Any products resulting from the above projects > will likely have their bits for RHEL end up distributed through RHEL > channels (i.e. RHN). I can't speak to Spacewalk though, but Cobbler > will still be available in EPEL regardless. I like EPEL, it's great > and full of some nice software, but Red Hat does not support bits from > EPEL, so we can't source the bits from there. Spacewalk is probably > considered a "layered" product, so I'm not sure what the stance on that > in EPEL is -- Free IPA /is/ in Fedora, however, and we have had the > previous discussion about other bits on this list. Either way, I'm not > an authority on the above :) until such time as spacewalk can work with postgresql or some other open source database there will be a spacewalk repo but the goal is to be in Fedora and EPEL.
satellite is a layered product and cant depend on EPEL. spacewalk is not a layered product and does depend on EPEL. > That all being said, I'd love to see the packages from EPEL signed in > some form as there are a /lot/ of users using those same apps straight > from EPEL, support or no -- they use them and they should be signed. > This has nothing to do with whether or not they are to be used for Red > Hat things or otherwise, it's just a good thing to do since people > depend on those repos. all EPEL packages are signed. they key is distrubuted in the epel-release package. I honestly don't think its a good idea to have epel-release signed by Red Hats signing key. > As for distributing an epel-release with RHEL, I'm not sure if that > would happen or not as EPEL doesn't come with support. I probably would > not expect that to occur, but I think lots of folks do know about EPEL > if they want to use it. I dont think epel-release should ever be in RHEL if anything disabled epel repo configs and the gpg key shipped with redhat-release. but that takes control out of our hands. so im not for that. I will get the fingerprint for the epel key posted @ https://admin.fedoraproject.org/fingerprints Dennis _______________________________________________ epel-devel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/epel-devel-list
