[MDEV-6205] MariaDB source releases should be signed Created: 2014-05-02 Updated: 2014-07-19 Resolved: 2014-07-19 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | None |
| Fix Version/s: | 5.5.38, 10.0.12 |
| Type: | Task | Priority: | Minor |
| Reporter: | Otto Kekäläinen | Assignee: | Daniel Bartholomew |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | debian, packaging | ||
| Description |
|
Current MariaDB source releases at mariadb.org and mirrors are not signed. There is a MD5SUM file next to the source releases, which is useful to check that the download is not corrupted, but only a OpenPGP signature would also protect against a possible man-in-the-middle attack. Please use the current packaging key used to sign binary releases:
Use it to sign the sources, e.g.
Publish the resulting mariadb-5.5.37.tar.gz.asc file next to the actual source file. For example the Debian uscan tool that watches for new releases and downloads them will support automated signature checking and it will be easy to implement if there is a file named mariadb-5.5.37.tar.gz.asc sitting next to the source release file. Uscan info at https://wiki.debian.org/debian/watch/#Cryptographic_signature_verification Oracle publishes source signatures for MySQL, e.g. https://dev.mysql.com/downloads/gpg.php?file=mysql-5.6.17.tar.gz and they advertise it on their download page at https://dev.mysql.com/downloads/mysql/ MariaDB could do it slightly better by using a stronger signing key. |
| Comments |
| Comment by Otto Kekäläinen [ 2014-07-19 ] |
|
This seem to be fixed now: .asc files are released (e.g. ftp://ftp.osuosl.org/pub/mariadb/mariadb-5.5.38/source/mariadb-5.5.38.tar.gz.asc) and the download UI also has a button to show the signature (e.g. https://downloads.mariadb.org/mariadb/5.5.38/) |