Opened 11 years ago
Closed 11 years ago
#291 closed defect (wontfix)
CentOS package doesn't actually use included PGP key
| Reported by: | Henrik Tunedal | Owned by: | sb |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | other | Version: | 1.2.x |
| Keywords: | Cc: | ||
| uname -a: | Linux vserver 2.6.32-5-vserver-amd64 #1 SMP Sun May 6 06:53:58 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.2.6
built by gcc 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g' |
||
Description
The CentOS and RHEL packages on the download page (http://nginx.org/en/download.html), which install a Yum repository for installing the actual package, include the signing key but are not configured to actually use it – they have "gpgcheck=0" in the repository configuration file.
Additionally, the manual instructions both there and on the wiki (http://wiki.nginx.org/Install) will set up a repository without signatures. It would be nice if they included a mention of, and link to, the PGP key.
Attachments (1)
Change History (3)
comment:1 by , 11 years ago
| Owner: | set to |
|---|---|
| Status: | new → assigned |
by , 11 years ago
| Attachment: | nginx.repo.centos6.patch added |
|---|
comment:2 by , 11 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
Yes, rpm packages signature check is optional now, because enabling gpgcheck in yum.conf will not improve security by itself, since you download pgp key from same location as rpm package, so it is as trustworthy as package itself. If you are security aware, you should check key's signatures too.
On the other hand enabling gpgcheck will result in prompting for key import on package installation and this may confuse inexperienced user.
So it is up to end user.
Patch for CentOS 6