bLuka
commented
6 years ago Also, please notice this makes the actual README obsolete.
Closed bLuka closed 6 years ago
bLuka
commented
6 years ago Also, please notice this makes the actual README obsolete.
camflan
commented
6 years ago Yep, we have a bunch of jobs dying on our CI/CD cluster 😬
I'm going to be updating our jobs with https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub thanks to @bLuka
Also curious why it was removed just now, and if we could get the README updated if this change is going to stick around?
Maybe it would be best to revert this change, mark as deprecated, and allow systems such as the aforementioned Gitlab Auto-DevOps time to update?
sgerrand
commented
6 years ago 👋 Apologies for the CI burps and interruptions to anyone affected by this change. I removed the public key from this repository due to the potential attack vector. It's not a good idea to keep the verification keys in the same place as the code being signed.
sgerrand
commented
6 years ago The GitLab CI template referenced is really out of date – it references glibc v2.23, which is over 2.5 years old.
sgerrand
commented
6 years ago 📝 Submitted https://gitlab.com/gitlab-org/gitlab-ci-yml/merge_requests/185 to fix the "Auto DevOps" pipeline.
sgerrand
commented
6 years ago please notice this makes the actual README obsolete.
could get the README updated
Please note that the README was also updated in #88 to reference the new location of the public signing key. I'm sorry for anyone affected by this change – I'll update the README shortly to emphasise this change and the change required for anyone else affected.
It seems the latest pull request (#88) broke the Gitlab Auto-DevOps template among other Alpine scripts :smile:
If anyone come through this, the only need is to replace
https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/master/sgerrand.rsa.pubin scripts byhttps://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub(as in 84c5fba3bcee1bbe9bda7298d7685d377235fe3d).Otherwise, you could also reference the file in its latest available version in the repository, from the commit reference :
https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/0a4a98ae663a4aaa89bf010289a14d98950666bf/sgerrand.rsa.pub@sgerrand Is it worth removing the public key from here given the cross-compatibilities issues it involves?