Red Hat Bugzilla – Bug 432811
We should ship the EPEL gpg key in RHEL
Last modified: 2008-09-25 13:16:23 EDT
Description of problem:
In order to start using the EPEL packages, customer must (should) first obatain
the EPEL GPG key. We could make this process easier and include it in RHEL, just
like we include the fedora gpg key.
Version-Release number of selected component (if applicable):
Actually, why do you include the fedora and fedora-test keys? Right now I would rather see those removed.
(In reply to comment #2)
> Actually, why do you include the fedora and fedora-test keys? Right now I would
> rather see those removed.
I've created bug #460915 to track that request.
Change checked into CVS. RPM-GPG-KEY-EPEL should appear in the 5.3 redhat-release package.
the correct way to install the GPG key and configure the repos is to grab the epel-release package from a mirror. and manually rpm install it. then everything just works.
its been the recommended way since day 1 of EPEL
shipping the key in redhat-release means that it will conflict with epel-release if for some reason the key needs to be changed in the future.
the only way it makes sence to ship the epel key in redhat-release is if it also ships the .repo files for epel and then if the key needed changing redhat-release would need an update.
I personally stongrly believe this is something better left with status quo.
I agree with Dennis. I'm guessing this request originated with someone who installs epel packages piecemeal and does not add the repo files (otherwise I don't see how having the key without the repo info is much help).
I'm not sure we should be encouraging such behavior. If a customer installs epel packages, they should probably keep up with the corresponding epel updates.
As EPEL SIG chair, I agree with Dennis. If Red Hat is going to ship the EPEL key, please do so within the epel-release package. That way if the keys are updated, invalidated etc they can be updated via a known process.
I say this because we are looking if we need to update our keys in line with the recent Red Hat issue. If we do so, then they keys that you have are not in sync anymore.
Wouldn't it be better to have some key-signing hierarchy instead of shipping the actual keys?
Ok, it seems that my comment 9 does not make a whole lot of sense. So based on that I think it would be better to NO include the EPEL (or Fedora) keys and instead have users really use epel-release.
I agree with Daniel. Closing bug.