You're reading from Getting Started with MariaDB Explore the powerful features of MariaDB with practical examples

Product type Paperback

Published in Jun 2015

Publisher

ISBN-13 9781785284120

Length 140 pages

Edition 1st Edition

Languages

Java

Tools

MariaDB

Concepts

Database Administration

Author (1):

Daniel Bartholomew

View More author details

Table of Contents (11) Chapters

Preface

1. Installing MariaDB

2. Configuring MariaDB FREE CHAPTER

3. Securing MariaDB

4. Administering MariaDB

5. Using MariaDB – Databases and Tables

6. Using MariaDB – Inserting, Updating, and Deleting

7. Using MariaDB – Retrieving Data

8. Maintaining MariaDB

A. MariaDB Next Steps

Index

MariaDB package security

The packages provided by the MariaDB developers are signed with a security key so that they can be verified by package managers such as yum and apt. The key signing and verification infrastructure on Linux is called Gnu Privacy Guard (GPG). It is a compatible open source version of Pretty Good Privacy (PGP), which is an industry standard data encryption, decryption, and verification system.

The identification number (GPG ID) of the MariaDB signing key is 0xcbcb082a1bb943db. For longtime users of GPG, this ID may seem a little long. That's because, until recently, it was common to share a short form of the GPG ID. This is discouraged now because of a GPG vulnerability discovered a couple years ago; however, many utilities will still display the short form by default. The long form of the ID is more secure, so this is what the MariaDB developers share when talking about the key. But, in case we want it, the short form of the ID is 1BB943DB (it's just the last eight characters of the long form ID). For the extra cautious, the full key fingerprint is:

1993 69E5 404B D5FC 7D2F E43B CBCB 082A 1BB9 43DB

The key IDs and fingerprint are also posted in the MariaDB Knowledge Base, which is the official location of the MariaDB documentation and is available from:

https://mariadb.com/kb/en/mariadb/gpg/

By checking the signature of the packages, Linux package managers, and more importantly, WE can verify whether the package that comes from the MariaDB developers and hasn't been tampered with since they created it.

When configuring the MariaDB repository on Debian and Ubuntu and during the initial MariaDB install on Fedora, Red Hat, and CentOS, an important task is to import the signing key. It's a good idea to verify the key by comparing it to the IDs and the fingerprint when doing so. Thankfully, this is a one-time operation. Once the key is imported, the process is fully automatic. We will only be notified if the signature check fails.

For MariaDB Windows, binary Linux, and the MariaDB source code files, we can verify them in two ways, first is by comparing the md5sum of the file we downloaded with the md5sum posted on the MariaDB downloads page next to the file. The second way is to use PGP or GPG to verify the cryptographic signature of the file. These signatures are also posted on the MariaDB downloads page.

The rest of the chapter is locked

You're reading from Getting Started with MariaDB Explore the powerful features of MariaDB with practical examples

Table of Contents (11) Chapters

MariaDB package security

Authors (1)

Personalised recommendations for you

You're reading from Getting Started with MariaDB Explore the powerful features of MariaDB with practical examples

Table of Contents (11) Chapters

MariaDB package security

Unlock this book and the full library FREE for 7 days

Authors (1)

Personalised recommendations for you