[Varnish] #1472: Varnish 4.0.0 packages for el6 are not signed

Varnish varnish-bugs at varnish-cache.org
Wed Apr 9 23:54:28 CEST 2014

#1472: Varnish 4.0.0 packages for el6 are not signed
 Reporter:  mortsa               |       Type:  defect
   Status:  new                  |   Priority:  high
Milestone:  Varnish 4.0 release  |  Component:  packaging
  Version:  4.0.0-beta1          |   Severity:  major
 Keywords:  gpg rpm security     |
 None of the packages available at http://repo.varnish-
 cache.org/redhat/varnish-4.0/el6/x86_64/varnish/ are signed with a GPG

 When trying to to install varnish with gpgcheck=1 in the yum repository
 configuration file, I get the following error message:

 "Package varnish-4.0.0-0.20140328beta1.el6.x86_64.rpm is not signed"

 A similiar ticket (#906) [1] was created 3 years ago and it was closed
 with resolution set to "wontfix".

 [1]: https://www.varnish-cache.org/trac/ticket/906

 Most of the software that is packaged and distributed as RPM packages by
 software vendors, are (or should be) signed by a GPG key from the software
 vendor by well-known reasons.

 The GPG key itself is commonly distributed as part of the release package
 (varnish-release), and the yum repository configuration file should
 contain "gpgcheck=1" to enable GPG signature checking on all packages in
 the repository.

 I hope you will prioritize this bug before Varnish 4.0.0 is released as

Ticket URL: <https://www.varnish-cache.org/trac/ticket/1472>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

More information about the varnish-bugs mailing list