| From: | Michael Gauthier <mike(at)silverorange(dot)com> |
|---|---|
| To: | Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>, pgsql-pkg-yum(at)postgresql(dot)org |
| Subject: | Re: Insecure instructions for installing YUM repo |
| Date: | 2016-02-19 18:33:55 |
| Message-ID: | 56C76013.1090608@silverorange.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-pkg-yum |
On 2/19/2016 5:48 AM, Devrim GÜNDÜZ wrote:
>
> Hi,
>
> On Fri, 2016-02-19 at 02:03 -0400, Michael Gauthier wrote:
>> The instructions on http://yum.postgresql.org/howtoyum.php for
>> installing the PostgreSQL YUM repository are insecure.
>>
>> You are asking people to download and install the repo RPM package over
>> HTTP. A MITM attack could serve an arbitrary RPM and trick users into
>> installing arbitrary software.
>
> Thanks for the heads up. I updated the links on that page, so that they point
> to https://download.postgresql.org . Does it work for you?
>
> Please let us know if you see more issues with this.
>
> Regards,
>
Hi Devrim,
Thanks for the quick update to use HTTPS! This is indeed much better
than before and works for me.
Cheers,
Mike
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jehan-Guillaume de Rorthais | 2016-02-22 16:38:45 | Reloading pgbouncer and systemd |
| Previous Message | Devrim GÜNDÜZ | 2016-02-19 09:53:38 | Re: PG 9.5 gdal-libs. libpoppler.so.5()(64bit) dependancy issue on Amazon Linux AMI release 2015.09 |