fluo-muchos
fluo-muchos copied to clipboard
apache
Influxdb 1.8.3 checksum changed again!
This is the same problem we faced in Dec 2020 as well and discussed here in #381. Looks like someone already opened an issue - https://github.com/influxdata/influxdb/issues/21365.
I'm not clear why they had to re-generate all signature files and rotate GPG keys, but looks like it is their process. I'll submit a PR to update the new checksum unless anyone has any thoughts.
Every time the checksum changes, it is suspicious. I don't think we should just keep blindly updating it going forward, because that would be like it didn't have a checksum at all. We could manually check every time, but that's tedious and requires a copy of both the old and new artifact (which may not be possible every time this happens).
So, I think the best solution is to try to convince upstream that their process is flawed, that it creates confusion and sows distrust in their security. If we can't rely on the checksum not changing for a previously released version, that's pretty concerning.
In my opinion, the second best solution is to remove features from muchos that use InfluxDB. If we can't trust the dependency, we should avoid it.
The third best solution seems to manually check that only the signature changed (as I did in https://github.com/apache/fluo-muchos/pull/381#issuecomment-754225310). But, that may not be possible.
