Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3278

2.4.13 RPM packages for RHEL signed with a new key

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.4.13, 2.5.5
    • Component/s: Packaging
    • Labels:
      None

      Description

      The 2.4.13 RPM packages for RHEL-8 (and likely for other RHEL versions) got signed with a new key, previously only used on ES 10.5 and MaxScale 2.5.

      This breaks all systems that rely on updates from the MariaDB repo, because we have not issued any kind of warning that we are going to change the signing key - worse, we have not specified which of the multitude of MariaDB signing keys is used for this release. Believe it or not, RPM does check if a package is signed with a trusted key.

      While a new key may be imported, this is not normally done by a DBA and requires extra efforts.

      All-in-all, such a change amidst a mainline without a pressing need (did we revoke the old key? Was it compromised?) is a very bad and quite useless thing to do (as if we don't break enough stuff for customers already).

      YUM log:
      The GPG keys listed for the "MaxScale 2.4" repository are already installed but they are not correct for this package.
      Check that the correct key URLs are configured for this repository.. Failing package is: maxscale-2.4.13-1.x86_64

        Attachments

          Activity

            People

            Assignee:
            tturenko Timofey Turenko
            Reporter:
            assen.totin Assen Totin
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration