How can we utilize latest GPG from RPM repository?
JLightner at dsservices.com
Thu Feb 15 14:56:18 CET 2018
CentOS isn't a vendor. It is a project that does binary compiles of RHEL sources.
RedHat is the vendor that creates RHEL and its source is used to make CentOS. RHEL is supported by RedHat if you have a subscription. CentOS has no direct support though RedHat hosts the project nowadays.
RHEL (and therefore CentOS) major versions such as 7 start with base upstream versions of packages. RedHat modifies that base upstream package to backport bug and security fixes from later upstream packages if relevant to the original base. They then add extended versioning to the RPM name.
For example on a test system I just looked at "yum list gnupg2" shows:
gnupg2.x86_64 2.0.22-3.el7 @anaconda/7.0
gnupg2.x86_64 2.0.22-4.el7 rhel-7-server-rpms
Notice the base upstream for both the installed and the available is 2.0.22 but the extended versioning is different (3.el7 vs 4.el7). You'd have to examine the errata to see what is different about the latter.
In general unless there is a specific feature in upstream you need that is not in the RHEL/CentOS provided version you should use the RHEL/CentOS version on your RHEL/CentOS system.
If you really want the latest of everything you should use Fedora instead of CentOS. Just be aware that Fedora is bleeding edge and releases a new version twice a year. Generally that means you HAVE to do a full upgrade at least once a year as they won't offer updated packages for more than two major versions at a time. For a Production environment that pace of upgrade is usually not desirable which is why people use RHEL/CentOS instead.
From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Daniel Kahn Gillmor
Sent: Wednesday, February 14, 2018 5:31 PM
To: helices; gnupg-users at gnupg.org
Subject: Re: How can we utilize latest GPG from RPM repository?
On Wed 2018-02-14 14:20:10 -0600, helices wrote:
> CentOS 7 uses gnupg2 v2.0.22. EPEL doesn't have anything newer.
> We want to move to v2.2.x, and stay current, but we don't want to
> download source and compile for dozens of systems.
> We want all users to be using the same version all of the time.
This sounds like a problem for your operating system and/or package manager. GnuPG has a chain of build dependencies which often makes it difficult to just import directly from a single RPM.
If you were running a more recent operating system, you'd likely get something from the GnuPG "modern" branch as well anyway.
Perhaps you want to ask your operating system vendor what their recommendation is for "backports" of specific packages?
More information about the Gnupg-users