Bug 432811

Summary: We should ship the EPEL gpg key in RHEL
Product: Red Hat Enterprise Linux 5 Reporter: David Juran <djuran>
Component: redhat-releaseAssignee: Dennis Gregorovic <dgregor>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.3CC: dennis, dmach, duck, herrold, inode0, mikem, riek, smooge
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-25 17:16:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Juran 2008-02-14 15:41:32 UTC 
Description of problem:
In order to start using the EPEL packages, customer must (should) first obatain
the EPEL GPG key. We could make this process easier and include it in RHEL, just
like we include the fedora gpg key.

Version-Release number of selected component (if applicable):
redhat-release-5Server-5.1.0.2
Comment 2 John T. Rose 2008-08-27 23:21:44 UTC 
Actually, why do you include the fedora and fedora-test keys? Right now I would rather see those removed.
Comment 3 Dennis Gregorovic 2008-09-02 16:38:19 UTC 
(In reply to comment #2)
> Actually, why do you include the fedora and fedora-test keys? Right now I would
> rather see those removed.

I've created bug #460915 to track that request.
Comment 4 Dennis Gregorovic 2008-09-04 18:02:38 UTC 
Change checked into CVS.  RPM-GPG-KEY-EPEL should appear in the 5.3 redhat-release package.
Comment 5 Dennis Gilmore 2008-09-16 21:18:59 UTC 
the correct way to install the GPG key and configure the repos is to grab the epel-release package from a mirror.  and manually rpm install it.  then everything just works.  

https://fedoraproject.org/wiki/EPEL/FAQ#howtouse

its been the recommended way since day 1 of EPEL

shipping the key in redhat-release means that it will conflict with epel-release  if for some reason the key needs to be changed in the future.  

the only way it makes sence to ship the epel key in redhat-release is if it also ships the .repo files for epel and then if the key needed changing redhat-release would need an update.

I personally stongrly believe this is something better left with status quo.
Comment 7 Mike McLean 2008-09-16 23:01:08 UTC 
I agree with Dennis. I'm guessing this request originated with someone who installs epel packages piecemeal and does not add the repo files (otherwise I don't see how having the key without the repo info is much help).

I'm not sure we should be encouraging such behavior. If a customer installs epel packages, they should probably keep up with the corresponding epel updates.
Comment 8 Stephen John Smoogen 2008-09-17 15:51:47 UTC 
As EPEL SIG chair, I agree with Dennis. If Red Hat is going to ship the EPEL key, please do so within the epel-release package. That way if the keys are updated, invalidated etc they can be updated via a known process. 

I say this because we are looking if we need to update our keys in line with the recent Red Hat issue. If we do so, then they keys that you have are not in sync anymore.

Thanks
Stephen Smoogen
Comment 9 Daniel Riek 2008-09-19 14:22:25 UTC 
Wouldn't it be better to have some key-signing hierarchy instead of shipping the actual keys?
Comment 10 Daniel Riek 2008-09-19 15:08:10 UTC 
Ok, it seems that my comment 9 does not make a whole lot of sense. So based on that I think it would be better to NO include the EPEL (or Fedora) keys and instead have users really use epel-release.
Comment 11 Dennis Gregorovic 2008-09-25 17:16:23 UTC 
I agree with Daniel.  Closing bug.