oss-sec mailing list archives

Re: PostgreSQL insecure install via yum (multiple problems)

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Aug 2013 22:13:51 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/19/2013 07:04 PM, Landon Hurley wrote:

Kurt Seifried <kseifried () redhat com> wrote:

Problem:

So I wanted to install PostgreSQL 9.2 to test something. So I
google "postgresql 9.2 rpm" and get sent to:

http://yum.postgresql.org/repopackages.php

which is not available by HTTPS at all. Not ideal but ok, I
download it over HTTP because I can check the signature on the
file right?

Wrong, I can't find the key anywhere. I try pgp.mit.edu, I even
google site:postgresql.org 442df0f8 and all you get are archived
emails with the warning that the signature can't be checked. No
copy of the key.


Kurt, pgp.mit.edu is deprecated. I recommend searching 0x442df0f8
on pool.sks-keyservers.net which does return a key.

landon


Weird, I must have typo'ed it, in any event it returns a key with that
value and no signatures. No idea if it's legitimate or not. I can
check it against an RPM I downloaded over HTTP which sort of ends me
back up square one.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSEuz/AAoJEBYNRVNeJnmT3UYP/j3UkEnVw+Yp2VT1N7HbVgzv
p/P3ZoFCOxyv801RmkbhGTgvFXwAYewKvFzEKh55xiCCuoKTarbyeO84SpsEkxV7
WQizj0pwPBTnCQFDEcAkG1tiPYXiyMXb24QcpRivox7XlrAFyzqE8KNiYxNaWngi
ZznFQpenSJgWBpI/F8VqLntOi62Y/DPjJ2yGX0ZHrA/HvG0s7ov5CTr35l4IBYjc
J3lCu4mLonbagpFZHWPUMqWQtQvfE02EhfRCOHuU13u9ugrXE755pHQ7/9pTW9wg
GAEcNpNC2m4aXpiQfxYga2MI6oELED8Kg56vIwxsdpc6WT6JgqsqdczxG4C6Ooqc
9HxDIke0Y8umXa4WtfAtLneDL2HI9fU5cGYq4ZCs46+rLFr5I552vHzybyjAcQkN
5UjZJsGPTh9x48aY9WADtWE30AS5XGIecIn4Nec27TKxpY0jc4lUsTbepG0aitRn
44Q7LX2moAn3cCWoy0hPFZZMdUcAxSJDdUnSRGQhxKwfYhCxJ8YhQpRZ0Z3sKOac
nGh1wEa1VUDBiUrmTiyv9VS/3Hemjh1rL9TgbfBYYpBtCFLo6UmWZssyJMlumf35
4LqzoOEUeLLScTHMclDwHtm33iNCAsO/a/zwJMN1IzyYGaJRreHWcYReIx9/yVP3
iuQmwEOYYTr/5BVMww5C
=d7so
-----END PGP SIGNATURE-----

Current thread:

PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Landon Hurley (Aug 19)
  - Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
- Re: PostgreSQL insecure install via yum (multiple problems) Eric H. Christensen (Aug 19)
  - Re: PostgreSQL insecure install via yum (multiple problems) Kurt Seifried (Aug 19)
    - Re: PostgreSQL insecure install via yum (multiple problems) Kevin Fenzi (Aug 19)
    - Re: [pgsql-security] Re: [oss-security] PostgreSQL insecure install via yum (multiple problems) Magnus Hagander (Aug 20)
    - Re: PostgreSQL insecure install via yum (multiple problems) Daniel Kahn Gillmor (Aug 20)
  - Re: PostgreSQL insecure install via yum (multiple problems) Moritz Naumann (Aug 19)