Details
-
New Feature
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
Description
The "all deb packages" tarballs have the public key for verifying MariaDB package signatures bundled, and install the key locally. So one only needs to transfer that one tarball to be able to perform a fully "not-connected-to-the-public-internet" offline installation.
With the "all RPM packages" tarballs on the other hand the key file is not included, and the version of the setup_repository script in those just checks whether the key file has already been added to the unpacked repository directory manually, or otherwise tries to download the key, which obviously does not work on a true offline system.
I'm not even sure which of the two approaches I prefer, having the signing key bundled in the same download archive with the actual packages sort of defeats the purpose of package signature verification as an attacker could easily modify packages, and the key along with it.
But whatever we tend to decide on, more secure, or more convenient, we should do it consistently between OS platforms. Having it one way on the RPM side, and another way on the .deb side, is just adding unnecessary extra confusion.
Attachments
Issue Links
- relates to
-
MDEV-36272 setup_repository script for Debian platforms not working when following README instructions
-
- Confirmed
-
-
-
- Confirmed
-