We keep a downstream mirror of the package repository (specifically, the Galera variant of MariaDB 10.0 for CentOS 6 x86_64 and i686).

When updating last night, we downloaded the new 10.0.15 packages. What was troubling to us is that the galera-25.3.5-1.rhel6.x86_64.rpm package was modified. By this I mean that we previously had an identically named package with an md5 checksum of 9b9ac4f9e9f4f9fc0b0ec5435a6d2054 that since last night has the md5 checksum 3b85a02d1be91a4ac0708fc5cb71699c.

This raised some eyebrows. I hope you agree this goes against the reasonable expectation that when the package is altered, the version number (or at the very least the package release number) is increased.

After a quick investigation, it appears that the package contents are unaltered, but rpm tells us the previous package was signed at `Thu 16 Oct 2014 01:48:54 AM CEST`, where the new package was signed at `Mon 24 Nov 2014 04:06:28 PM CET`. Build time for both packages is identical at `Wed 25 Jun 2014 04:35:31 AM CEST`.

Our guess is that the CD process responsible for creating the repositories indiscriminately re-signs unaltered packages each time a repository build job is performed.