brianloss
commented
3 years ago @karthick-rn do you still have the previous version of influxdb around to compare and ensure nothing else is going on here?
Closed brianloss closed 3 years ago
brianloss
commented
3 years ago @karthick-rn do you still have the previous version of influxdb around to compare and ensure nothing else is going on here?
ctubbsii
commented
3 years ago @karthick-rn do you still have the previous version of influxdb around to compare and ensure nothing else is going on here?
I saved a copy of them at https://people.apache.org/~ctubbsii/influxdb_rpms_muchos381/
karthick-rn
commented
3 years ago Good to see the checksum haven't changed since May '21 😄 . Finally, they realised not to re-sign the already signed RPM.
brianloss
commented
3 years ago If we ignored the SHA512 sum and just validated the signature, then it wouldn't matter if the SHA512 changed, as long as the signature is trusted.
If we could make yum fail when there's no GPG signature in the package, then this would be the best option. However, there appears to be no way to do that. If the package we were downloading got replaced with one having no signature, nothing would fail and there would be only a warning about a missing signature. Given that, it's probably better to live with the annoyance of the checksum changing--at least the install fails when the signature changes.
The influxdb checksum appears to have changed again (see #381). I don't have the original version of the RPM to compare against, but I did download influxdb from https://dl.influxdata.com/influxdb/releases/influxdb-1.8.3.x86_64.rpm and https://repos.influxdata.com/centos/7/x86_64/stable/influxdb-1.8.3.x86_64.rpm. The checksum differs between those two RPMs and neither matches what is currently checked in. I ran pkgdiff on the two versions I downloaded, and like in #381, it appears the only difference is the package info signature.