Skip to content

CIS: skip enabling gpgcheck on all yum repos #2058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MoteHue merged 1 commit into from
Jan 6, 2026
Merged

CIS: skip enabling gpgcheck on all yum repos #2058

MoteHue merged 1 commit into from
Jan 6, 2026

Conversation

@MoteHue
Copy link
Contributor

@MoteHue MoteHue commented Jan 6, 2026

This conflicts with our configured doca repos, which need gpgcheck disabled.

@MoteHue MoteHue requested a review from a team as a code owner January 6, 2026 14:28
@MoteHue MoteHue added bug Something isn't working xs Extra small (Less than 10 changes) Epoxy labels Jan 6, 2026
Alex-Welsh
Alex-Welsh previously approved these changes Jan 6, 2026
View reviewed changes
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request disables the CIS hardening rule that enforces GPG checks on all yum repositories to accommodate a specific repository (doca) that does not support it. While this resolves the immediate conflict, it introduces a security risk by disabling a critical verification step for all repositories. My review includes a suggestion for a more targeted and secure approach that addresses the repository conflict without weakening the overall system security.

@Alex-Welsh
Copy link
Member

Alex-Welsh commented Jan 6, 2026

Reno would be nice but fine as it is

@MoteHue
CIS: skip enabling gpgcheck on all yum repos
52b28d9 
This conflicts with our configured doca repos, which need gpgcheck
disabled.
@MoteHue MoteHue force-pushed the cis-disable-gpgcheck-rule branch from b626b72 to 52b28d9 Compare January 6, 2026 14:34
@MoteHue MoteHue requested a review from Alex-Welsh January 6, 2026 14:34
@MoteHue MoteHue enabled auto-merge January 6, 2026 14:54
@MoteHue MoteHue merged commit 3cead46 into stackhpc/2025.1 Jan 6, 2026
21 of 22 checks passed
@MoteHue MoteHue deleted the cis-disable-gpgcheck-rule branch January 6, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alex-Welsh Alex-Welsh Alex-Welsh approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working Epoxy xs Extra small (Less than 10 changes)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MoteHue @Alex-Welsh