| From: | Michael Gauthier <mike(at)silverorange(dot)com> |
|---|---|
| To: | pgsql-pkg-yum(at)postgresql(dot)org |
| Subject: | Insecure instructions for installing YUM repo |
| Date: | 2016-02-19 06:03:24 |
| Message-ID: | 56C6B02C.7040304@silverorange.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-pkg-yum |
Hi!
The instructions on http://yum.postgresql.org/howtoyum.php for
installing the PostgreSQL YUM repository are insecure.
You are asking people to download and install the repo RPM package over
HTTP. A MITM attack could serve an arbitrary RPM and trick users into
installing arbitrary software.
The first option to fix this is to continue to use HTTP, but tell people
to get the signing key and verify the key and package *before*
installation. For this to work, you should publish your public key and
fingerprint prominently on the site. If possible, provide the key over
HTTPS so the key verification step can be skipped. Step-by-step
instructions should be included like:
1. download our public key with fingerprint FOO
2. verify our public key at https://pgp.mit.edu/ or some other source
you trust
3. import our key into the RPM DB:
rpm --import keyfile.key
4. download the RPM package for your distribution
5. verify the RPM package:
rpm -K postgres.rpm
6. install the RPM package
The second way to fix the issue is to provide the repo RPM package over
HTTPS. This option would be much easier for most users and will require
less documentation.
Please see
https://securityblog.redhat.com/2015/08/19/secure-distribution-of-rpm-packages/
for more details about why the current instructions are inadequate.
Thanks,
Mike
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kazuki Uehara | 2016-02-19 07:07:58 | yum package for orafce 3.2.1 |
| Previous Message | Joshua D. Drake | 2016-02-17 15:33:24 | Re: Bug Tracker or Todo List? |