oss-sec mailing list archives
Re: PostgreSQL insecure install via yum (multiple problems)
From: Moritz Naumann <info () moritz-naumann com>
Date: Tue, 20 Aug 2013 05:08:18 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Eric H. Christensen:
On Mon, Aug 19, 2013 at 06:58:22PM -0600, Kurt Seifried wrote:Signing RPM's isn't very useful if you never make the signing key available!You mean like this: http://keys.fedoraproject.org/pks/lookup?search=0x442df0f8&op=vindex
Still
plain HTTP there (on a somewhat unrelated site), also: * short key ID (no fingerprint) listed on http://yum.postgresql.org * DSA-1 key: 3 don'ts in a row. The situation is a bit better for the APT repository: http://wiki.postgresql.org/wiki/Apt * 4096-bit RSA key * instructs to download key from same site - using plain http (but HTTPS is available - GoDaddy CA domain control validated) * (short key ID used in documentation only) In contrary to the Yum repository signing key this OpenPGP key is signed by someone else, notably a Debian developer, so verifying it via the web of trust / strong set /may/ succeed. Maybe a new policy document would solve it... http://wiki.postgresql.org/wiki/Policies http://wiki.postgresql.org/wiki/ReleasePrep This said, I'm glad that the Postgresql Global Development Group do provide us with these repositories. Moritz -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJSEvmxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMEEwRkYzMTUwODdEMEUzQkU0QzVGMkVC RDk2RUNBRDkzNDUwMEIwAAoJEL2W7K2TRQCwibgQAM/0KPyoqBjaFsmxWo9TrLOz 1IWUs1Y2ww2n3dqy0qwqhBk4o6NsdpRQ0phkqW33H1PxyhYSeq2HvgHf4L16DQ31 mmkaO72v5hO1EjfXNzmeODe1EXpJP91bwSPIbW31p1rOjDBJVcY6sEGeu+GC+tqt /BaBBO27F/4yoK1U4XIiRDoItjojW92eBoe8UEhu2Ds3GG1/mZ0APj04cq0ruWZw SWXuuUh+Q/Un27TwTCKsTH1BwSMh4PxxSfXNMnCVT5YzjSWuNq6CRe27FSZOGH+e 28LQYbLKnr9w2Kx0+MCMGihOPmbvAxAaaiVvIvWpLIiNkIyxR86HNMmPB5w8f86K W97VSCUahN0F0PKefMatCMvKpXL6LqZ6eVxJgBAEUfavj69TBgCF0ORjNtKlFuy9 BHB1pAHYB+/Jj+0K6Ox/hdZnJE9k/VGw2/5tQHyo4dZQbifIYBymcnAszESR7U2H fLjFCmkLsxdq1/uvirjljscYYyIGWnDdAYURfXQgDslG4uRAOBH/JUJqN/NnAHra 4k4R5DejSmbipeR2QUJoKVvyGVChYrBt2lnzmXk7JYhohPQ2+6kUCU1e/FwNNFVI s4+9S4BfXEKHkruiKXLSH0DxR88HrV0aokU6eg1OsRB6+evRjjtVzPSfK36KfcPD cF456FKI6+Q44uc2qp2z =mzCS -----END PGP SIGNATURE-----
Current thread:
- PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Landon Hurley (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Eric H. Christensen (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kevin Fenzi (Aug 19)
- Re: [pgsql-security] Re: [oss-security] PostgreSQL insecure install via yum (multiple problems) Magnus Hagander (Aug 20)
- Re: PostgreSQL insecure install via yum (multiple problems) Daniel Kahn Gillmor (Aug 20)
- Re: PostgreSQL insecure install via yum (multiple problems) Moritz Naumann (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Landon Hurley (Aug 19)