Prep work for the MariaDB 10.1.39 release has begun. Expected release date is Thu, 02 May 2019. Draft release notes and changelog: - https://mariadb.com/kb/en/mdb-10139-rn/ - https://mariadb.com/kb/en/mdb-10139-cl/ As usual, the release notes and changelog are still in draft form at this time and will be updated prior to release. Thanks. -- Daniel Bartholomew, MariaDB Release Manager MariaDB | https://mariadb.com
Did you change the signing key? uscan: Newest version of mariadb-10.1 on remote site is 10.1.39, local version is 10.1.38 uscan: => Newer package available from ftp://ftp.osuosl.org/pub/mariadb/mariadb-10.1.39/source/mariadb-10.1.39.tar.gz gpgv: Signature made ke 1. toukokuuta 2019 19.12.57 EEST gpgv: using DSA key CBCB082A1BB943DB gpgv: BAD signature from "MariaDB Package Signing Key <package-signing-key@mariadb.org>" uscan die: OpenPGP signature did not verify. gbp:error: Uscan failed: OpenPGP signature did not verify.
Hello! pe 3. toukok. 2019 klo 7.33 Otto Kekäläinen (otto@debian.org) kirjoitti:
Did you change the signing key?
uscan: Newest version of mariadb-10.1 on remote site is 10.1.39, local version is 10.1.38 uscan: => Newer package available from ftp://ftp.osuosl.org/pub/mariadb/mariadb-10.1.39/source/mariadb-10.1.39.tar.gz gpgv: Signature made ke 1. toukokuuta 2019 19.12.57 EEST gpgv: using DSA key CBCB082A1BB943DB gpgv: BAD signature from "MariaDB Package Signing Key <package-signing-key@mariadb.org>" uscan die: OpenPGP signature did not verify. gbp:error: Uscan failed: OpenPGP signature did not verify.
It seems the key is correct, but the tar.gz did not match: $ sha1sum mariadb-10.1.39.tar.gz 45918fde6315d5ce28e9235f8dc2a7e313eb139a mariadb-10.1.39.tar.gz $ sha512sum mariadb-10.1.39.tar.gz a0acc2c403a9e77d302bd5ea03ded6f9da1e4c98331b3eb68eaa8abb944497f7a1d49200015a1168b84305c1562beaf218f70e038b5bd8f0090e4c5dbb735eae mariadb-10.1.39.tar.gz Expected values listed at https://downloads.mariadb.org/mariadb/10.1.39/ are: sha1sum: aada075c1b983f54a7636581a4702d1b65809ecb sha512sum: d2ee2da780bd032d1b880e424e9c575259f66ccea885cea3ea3eb2ae0702b2a8935b8c05b07a8c1da675ea80ca98f34e935711a0b8a36c00c7dcc697faa128aa Is anybody else having problems with wrong checksums? I did a new download from ftp.osuosl.org and now the checksums match. Maybe there was just a temporary error and not a targeted distribution chain attack.. By the way, the current package signing key is a bit weak (1K DSA). I recommed creating a new 4K RSA key some time later this year at a suitable point in time.. Tips: https://seravo.fi/2015/how-to-create-good-openpgp-keys
On Fri, 3 May 2019 10:02:22 +0300 Otto Kekäläinen <otto@debian.org> wrote:
I did a new download from ftp.osuosl.org and now the checksums match. Maybe there was just a temporary error and not a targeted distribution chain attack..
Yes, it could be that things were just not fully synced yet.
By the way, the current package signing key is a bit weak (1K DSA). I recommed creating a new 4K RSA key some time later this year at a suitable point in time..
Yes, this needs to be done. Thanks. -- Daniel Bartholomew, MariaDB Release Manager MariaDB | https://mariadb.com
participants (2)
-
Daniel Bartholomew -
Otto Kekäläinen