How can we utilize latest GPG from RPM repository?

helices gpg at
Thu Feb 15 15:10:07 CET 2018

Yes, I know that.

In general, that scheme works well.

However, in another case, rsyslog, a certain function has been broken for
many years, and the only fix is to track the developers' most recent
versions. In that case, the developers maintain their own repository: ; which is easy to incorporate into:

We are hoping something similar is available for gnupg. I have not found
that; which is the reason for my posts here.

What am I missing?

Please, advise. Thank you.

On Thu, Feb 15, 2018 at 7:56 AM, Lightner, Jeffrey <JLightner at
> wrote:

> CentOS isn't a vendor.   It is a project that does binary compiles of RHEL
> sources.
> RedHat is the vendor that creates RHEL and its source is used to make
> CentOS.   RHEL is supported by RedHat if you have a subscription.  CentOS
> has no direct support though RedHat hosts the project nowadays.
> RHEL (and therefore CentOS) major versions such as 7 start with base
> upstream versions of packages.   RedHat modifies that base upstream package
> to backport bug and security fixes from later upstream packages if relevant
> to the original base.   They then add extended versioning to the RPM name.
> For example on a test system I just looked at  "yum list gnupg2" shows:
> Installed Packages
> gnupg2.x86_64                  2.0.22-3.el7                   @anaconda/7.0
> Available Packages
> gnupg2.x86_64                  2.0.22-4.el7
>  rhel-7-server-rpms
> Notice the base upstream for both the installed and the available is
> 2.0.22 but the extended versioning is different (3.el7 vs 4.el7).   You'd
> have to examine the errata to see what is different about the latter.
> In general unless there is a specific feature in upstream you need that is
> not in the RHEL/CentOS provided version you should use the RHEL/CentOS
> version on your RHEL/CentOS system.
> If you really want the latest of everything you should use Fedora instead
> of CentOS.   Just be aware that Fedora is bleeding edge and releases a new
> version twice a year.   Generally that means you HAVE to do a full upgrade
> at least once a year as they won't offer updated packages for more than two
> major versions at a time.   For a Production environment that pace of
> upgrade is usually not desirable which is why people use RHEL/CentOS
> instead.
> -----Original Message-----
> From: Gnupg-users [mailto:gnupg-users-bounces at] On Behalf Of
> Daniel Kahn Gillmor
> Sent: Wednesday, February 14, 2018 5:31 PM
> To: helices; gnupg-users at
> Subject: Re: How can we utilize latest GPG from RPM repository?
> On Wed 2018-02-14 14:20:10 -0600, helices wrote:
> > CentOS 7 uses gnupg2 v2.0.22. EPEL doesn't have anything newer.
> >
> > We want to move to v2.2.x, and stay current, but we don't want to
> > download source and compile for dozens of systems.
> >
> > We want all users to be using the same version all of the time.
> This sounds like a problem for your operating system and/or package
> manager.  GnuPG has a chain of build dependencies which often makes it
> difficult to just import directly from a single RPM.
> If you were running a more recent operating system, you'd likely get
> something from the GnuPG "modern" branch as well anyway.
> Perhaps you want to ask your operating system vendor what their
> recommendation is for "backports" of specific packages?
>           --dkg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list