[Varnish] #1472: Varnish 4.0.0 packages for el6 are not signed
Varnish
varnish-bugs at varnish-cache.org
Wed Apr 9 23:54:28 CEST 2014
#1472: Varnish 4.0.0 packages for el6 are not signed
---------------------------------+-----------------------
Reporter: mortsa | Type: defect
Status: new | Priority: high
Milestone: Varnish 4.0 release | Component: packaging
Version: 4.0.0-beta1 | Severity: major
Keywords: gpg rpm security |
---------------------------------+-----------------------
None of the packages available at http://repo.varnish-
cache.org/redhat/varnish-4.0/el6/x86_64/varnish/ are signed with a GPG
key.
When trying to to install varnish with gpgcheck=1 in the yum repository
configuration file, I get the following error message:
"Package varnish-4.0.0-0.20140328beta1.el6.x86_64.rpm is not signed"
A similiar ticket (#906) [1] was created 3 years ago and it was closed
with resolution set to "wontfix".
[1]: https://www.varnish-cache.org/trac/ticket/906
Most of the software that is packaged and distributed as RPM packages by
software vendors, are (or should be) signed by a GPG key from the software
vendor by well-known reasons.
The GPG key itself is commonly distributed as part of the release package
(varnish-release), and the yum repository configuration file should
contain "gpgcheck=1" to enable GPG signature checking on all packages in
the repository.
I hope you will prioritize this bug before Varnish 4.0.0 is released as
stable.
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1472>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list