Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7212

Yum repo - altered packages with identical version numbers

    XMLWordPrintable

    Details

      Description

      We keep a downstream mirror of the package repository (specifically, the Galera variant of MariaDB 10.0 for CentOS 6 x86_64 and i686).

      When updating last night, we downloaded the new 10.0.15 packages. What was troubling to us is that the galera-25.3.5-1.rhel6.x86_64.rpm package was modified. By this I mean that we previously had an identically named package with an md5 checksum of 9b9ac4f9e9f4f9fc0b0ec5435a6d2054 that since last night has the md5 checksum 3b85a02d1be91a4ac0708fc5cb71699c.

      This raised some eyebrows. I hope you agree this goes against the reasonable expectation that when the package is altered, the version number (or at the very least the package release number) is increased.

      After a quick investigation, it appears that the package contents are unaltered, but rpm tells us the previous package was signed at `Thu 16 Oct 2014 01:48:54 AM CEST`, where the new package was signed at `Mon 24 Nov 2014 04:06:28 PM CET`. Build time for both packages is identical at `Wed 25 Jun 2014 04:35:31 AM CEST`.

      Our guess is that the CD process responsible for creating the repositories indiscriminately re-signs unaltered packages each time a repository build job is performed.

        Attachments

          Activity

            People

            Assignee:
            dbart Daniel Bartholomew
            Reporter:
            kenny_r Kenny Rasschaert
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration