Hi,
Would it make sense to make gpg signature checking the default for the
official distributed Scientific Linux packages? In other words,
include the line 'gpgcheck=1' in the /etc/yum.repos.d/sl*.repo files.

It seems as if this approach would help to make sure that all packages
are signed and that users don't accidentally install 'unofficial' or
(perhaps maliciously) altered packages.

-g