You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@fluo.apache.org by GitBox <gi...@apache.org> on 2021/05/05 17:24:53 UTC
[GitHub] [fluo-muchos] karthick-rn opened a new issue #391: Influxdb 1.8.3 checksum changed again!
karthick-rn opened a new issue #391:
URL: https://github.com/apache/fluo-muchos/issues/391
This is the same problem we faced in Dec 2020 as well and discussed here in #381. Looks like someone already opened an issue - https://github.com/influxdata/influxdb/issues/21365.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] karthick-rn commented on issue #391: Influxdb 1.8.3 checksum changed again!
Posted by GitBox <gi...@apache.org>.
karthick-rn commented on issue #391:
URL: https://github.com/apache/fluo-muchos/issues/391#issuecomment-833653742
Added a comment to the Influxdb issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] karthick-rn commented on issue #391: Influxdb 1.8.3 checksum changed again!
Posted by GitBox <gi...@apache.org>.
karthick-rn commented on issue #391:
URL: https://github.com/apache/fluo-muchos/issues/391#issuecomment-833004313
I'm not clear why they had to re-generate all signature files and rotate GPG keys, but looks like it is their process. I'll submit a PR to update the new checksum unless anyone has any thoughts.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] karthick-rn commented on issue #391: Influxdb 1.8.3 checksum changed again!
Posted by GitBox <gi...@apache.org>.
karthick-rn commented on issue #391:
URL: https://github.com/apache/fluo-muchos/issues/391#issuecomment-845369519
The existing RPMs has been re-signed again today!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [fluo-muchos] ctubbsii commented on issue #391: Influxdb 1.8.3 checksum changed again!
Posted by GitBox <gi...@apache.org>.
ctubbsii commented on issue #391:
URL: https://github.com/apache/fluo-muchos/issues/391#issuecomment-833299390
Every time the checksum changes, it is suspicious. I don't think we should just keep blindly updating it going forward, because that would be like it didn't have a checksum at all. We could manually check every time, but that's tedious and requires a copy of both the old and new artifact (which may not be possible every time this happens).
So, I think the best solution is to try to convince upstream that their process is flawed, that it creates confusion and sows distrust in their security. If we can't rely on the checksum not changing for a previously released version, that's pretty concerning.
In my opinion, the second best solution is to remove features from muchos that use InfluxDB. If we can't trust the dependency, we should avoid it.
The third best solution seems to manually check that only the signature changed (as I did in https://github.com/apache/fluo-muchos/pull/381#issuecomment-754225310). But, that may not be possible.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org