You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@fluo.apache.org by GitBox <gi...@apache.org> on 2021/05/06 07:32:03 UTC

[GitHub] [fluo-muchos] ctubbsii commented on issue #391: Influxdb 1.8.3 checksum changed again!

ctubbsii commented on issue #391:
URL: https://github.com/apache/fluo-muchos/issues/391#issuecomment-833299390


   Every time the checksum changes, it is suspicious. I don't think we should just keep blindly updating it going forward, because that would be like it didn't have a checksum at all. We could manually check every time, but that's tedious and requires a copy of both the old and new artifact (which may not be possible every time this happens).
   
   So, I think the best solution is to try to convince upstream that their process is flawed, that it creates confusion and sows distrust in their security. If we can't rely on the checksum not changing for a previously released version, that's pretty concerning.
   
   In my opinion, the second best solution is to remove features from muchos that use InfluxDB. If we can't trust the dependency, we should avoid it.
   
   The third best solution seems to manually check that only the signature changed (as I did in https://github.com/apache/fluo-muchos/pull/381#issuecomment-754225310). But, that may not be possible.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org