Details
Minor
Description
Current MariaDB source releases at mariadb.org and mirrors are not signed. There is a MD5SUM file next to the source releases, which is useful to check that the download is not corrupted, but only a OpenPGP signature would also protect against a possible man-in-the-middle attack.
Please use the current packaging key used to sign binary releases:
pub 1024D/1BB943DB 2010-02-02 uid MariaDB Package Signing Key <package-signing-key@mariadb.org>
Use it to sign the sources, e.g.
gpg --detach-sign --armor mariadb-5.5.37.tar.gz
Publish the resulting mariadb-5.5.37.tar.gz.asc file next to the actual source file.
For example the Debian uscan tool that watches for new releases and downloads them will support automated signature checking and it will be easy to implement if there is a file named mariadb-5.5.37.tar.gz.asc sitting next to the source release file. Uscan info at https://wiki.debian.org/debian/watch/#Cryptographic_signature_verification
Oracle publishes source signatures for MySQL, e.g. https://dev.mysql.com/downloads/gpg.php?file=mysql-5.6.17.tar.gz and they advertise it on their download page at https://dev.mysql.com/downloads/mysql/ MariaDB could do it slightly better by using a stronger signing key.
Gliffy Diagrams
Attachments
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
This seem to be fixed now: .asc files are released (e.g. ftp://ftp.osuosl.org/pub/mariadb/mariadb-5.5.38/source/mariadb-5.5.38.tar.gz.asc) and the download UI also has a button to show the signature (e.g. https://downloads.mariadb.org/mariadb/5.5.38/)