[MXS-3278] 2.4.13 RPM packages for RHEL signed with a new key Created: 2020-11-02 Updated: 2020-11-04 Resolved: 2020-11-04 |
|
| Status: | Closed |
| Project: | MariaDB MaxScale |
| Component/s: | Packaging |
| Affects Version/s: | None |
| Fix Version/s: | 2.4.13, 2.5.5 |
| Type: | Bug | Priority: | Major |
| Reporter: | Assen Totin (Inactive) | Assignee: | Timofey Turenko |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Description |
|
The 2.4.13 RPM packages for RHEL-8 (and likely for other RHEL versions) got signed with a new key, previously only used on ES 10.5 and MaxScale 2.5. This breaks all systems that rely on updates from the MariaDB repo, because we have not issued any kind of warning that we are going to change the signing key - worse, we have not specified which of the multitude of MariaDB signing keys is used for this release. Believe it or not, RPM does check if a package is signed with a trusted key. While a new key may be imported, this is not normally done by a DBA and requires extra efforts. All-in-all, such a change amidst a mainline without a pressing need (did we revoke the old key? Was it compromised?) is a very bad and quite useless thing to do (as if we don't break enough stuff for customers already). YUM log: |
| Comments |
| Comment by Timofey Turenko [ 2020-11-02 ] |
|
packages are signed by MariaDB Enterprise key https://downloads.mariadb.com/MariaDB/MariaDB-Enterprise-GPG-KEY |
| Comment by Assen Totin (Inactive) [ 2020-11-02 ] |
|
Exactly, this is the problem. All previous 2.4 builds used a different key.
|
| Comment by Timofey Turenko [ 2020-11-04 ] |
|
old key was not compromised, we changed the key because we need the same key for Enterprise server and Maxscale (see https://jira.mariadb.org/browse/MXS-2804) as for announcement - it is our fault, just forgot to add to release notes |
| Comment by Timofey Turenko [ 2020-11-04 ] |
|
release note is added |
| Comment by Timofey Turenko [ 2020-11-04 ] |
|
Release notes are updated, closing |