Closed hammondr closed 4 years ago
rnelson0
commented
5 years ago It seems like the default is 1, not 0, as you describe. I believe it should be disabled by default based on my understanding of both the flag and the amount of metadata RH signs, but I could be wrong there (appears to have only been fixed with 7.4, did 6 repos get backported signatures?)
hammondr
commented
5 years ago Neither EPEL 6 nor 7 contain signed repo metadata. Ref:
This patch makes sure repo_gpgcheck is disabled by default for the EPEL repo. For hardened systems with "repo_gpgcheck=1" in yum.conf, the EPEL repo will no longer break. Systems that aren't enforcing "repo_gpgcheck=1" in yum.conf will see no behavior changes.
rnelson0
commented
5 years ago Ah, so the local setting can override the global, makes sense. Sorry, it was early, I'm get it now :D
hammondr
commented
5 years ago Thanks for the approval. Are there any more steps before you can merge this?
rnelson0
commented
4 years ago I am horribly sorry this fell off my radar for so long! I've resolved the merge conflicts and merged this PR. Thank you so much for your patience.
Some system hardening guides require the use of "repo_gpgcheck = 1" in yum.conf. This setting breaks this puppet module because the repo files it generates cannot set a repo-specific repo_gpgcheck setting (i.e. set it to 0 for epel).
This patch sets a value of 0 for each supported epel repo and allows override via params/hiera.