docker-library/cassandra

Hardcoded GPG keys in build are creating a dependency

pmcfadin opened this issue · 1 comments

The current dockerbuild template for Cassandra has hardcoded 4 members of the Cassandra PMC. Today's 4.0 release was built by a 5th person and as a result, broke on the key signing check.

# https://cwiki.apache.org/confluence/display/CASSANDRA2/DebianPackaging#DebianPackaging-AddingRepositoryKeys
ENV GPG_KEYS \
# gpg: key 0353B12C: public key "T Jake Luciani <jake@apache.org>" imported
514A2AD631A57A16DD0047EC749D6EEC0353B12C \
# gpg: key FE4B2BDA: public key "Michael Shuler <michael@pbandjelly.org>" imported
A26E528B271F19B9E5D8E19EA278B781FE4B2BDA \
# gpg: key E91335D77E3E87CB: public key "Michael Semb Wever <mick@thelastpickle.com>" imported
A4C465FEA0C552561A392A61E91335D77E3E87CB \
# gpg: key F1000962B7F6840C: public key "Alex Petrov <oleksandr.petrov@gmail.com>" imported
9E66CEC6106D578D0B1EB9BFF1000962B7F6840C

A PR has been issued to add the 5th person, but this feels like a ticking time bomb dependency.

Ideally, the correct place to pull keys would be from the official ASF keys file for the project that authorizes the builds: https://dist.apache.org/repos/dist/release/cassandra/KEYS

I have 2 PRs to address this. One to simply add the key that was used to create the 4.0 release (PR #235). Another to import all the ASF keys for Cassandra (PR #237). Either PR should resolve the recent 4.0 Docker image build problem here. But as @pmcfadin said, adding all of the ASF keys will prevent the build from failing in the future should a new GPG key be used to create the tag/release.