Bug 432811 - We should ship the EPEL gpg key in RHEL
Summary: We should ship the EPEL gpg key in RHEL
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: redhat-release
Version: 5.3
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Dennis Gregorovic
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-14 15:41 UTC by David Juran
Modified: 2008-09-25 17:16 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-25 17:16:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2009:0133 0 normal SHIPPED_LIVE new package: redhat-release 2009-01-20 16:04:58 UTC

Description David Juran 2008-02-14 15:41:32 UTC 
Description of problem:
In order to start using the EPEL packages, customer must (should) first obatain
the EPEL GPG key. We could make this process easier and include it in RHEL, just
like we include the fedora gpg key.

Version-Release number of selected component (if applicable):
redhat-release-5Server-5.1.0.2
Comment 2 John T. Rose 2008-08-27 23:21:44 UTC 
Actually, why do you include the fedora and fedora-test keys? Right now I would rather see those removed.
Comment 3 Dennis Gregorovic 2008-09-02 16:38:19 UTC 
(In reply to comment #2)
> Actually, why do you include the fedora and fedora-test keys? Right now I would
> rather see those removed.

I've created bug #460915 to track that request.
Comment 4 Dennis Gregorovic 2008-09-04 18:02:38 UTC 
Change checked into CVS.  RPM-GPG-KEY-EPEL should appear in the 5.3 redhat-release package.
Comment 5 Dennis Gilmore 2008-09-16 21:18:59 UTC 
the correct way to install the GPG key and configure the repos is to grab the epel-release package from a mirror.  and manually rpm install it.  then everything just works.  

https://fedoraproject.org/wiki/EPEL/FAQ#howtouse

its been the recommended way since day 1 of EPEL

shipping the key in redhat-release means that it will conflict with epel-release  if for some reason the key needs to be changed in the future.  

the only way it makes sence to ship the epel key in redhat-release is if it also ships the .repo files for epel and then if the key needed changing redhat-release would need an update.

I personally stongrly believe this is something better left with status quo.
Comment 7 Mike McLean 2008-09-16 23:01:08 UTC 
I agree with Dennis. I'm guessing this request originated with someone who installs epel packages piecemeal and does not add the repo files (otherwise I don't see how having the key without the repo info is much help).

I'm not sure we should be encouraging such behavior. If a customer installs epel packages, they should probably keep up with the corresponding epel updates.
Comment 8 Stephen John Smoogen 2008-09-17 15:51:47 UTC 
As EPEL SIG chair, I agree with Dennis. If Red Hat is going to ship the EPEL key, please do so within the epel-release package. That way if the keys are updated, invalidated etc they can be updated via a known process. 

I say this because we are looking if we need to update our keys in line with the recent Red Hat issue. If we do so, then they keys that you have are not in sync anymore.

Thanks
Stephen Smoogen
Comment 9 Daniel Riek 2008-09-19 14:22:25 UTC 
Wouldn't it be better to have some key-signing hierarchy instead of shipping the actual keys?
Comment 10 Daniel Riek 2008-09-19 15:08:10 UTC 
Ok, it seems that my comment 9 does not make a whole lot of sense. So based on that I think it would be better to NO include the EPEL (or Fedora) keys and instead have users really use epel-release.
Comment 11 Dennis Gregorovic 2008-09-25 17:16:23 UTC 
I agree with Daniel.  Closing bug.
Note You need to log in before you can comment on or make changes to this bug.