From: | Michael Gauthier <mike(at)silverorange(dot)com> |
---|---|
To: | Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>, pgsql-pkg-yum(at)postgresql(dot)org |
Subject: | Re: Insecure instructions for installing YUM repo |
Date: | 2016-02-19 18:33:55 |
Message-ID: | 56C76013.1090608@silverorange.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-pkg-yum |
On 2/19/2016 5:48 AM, Devrim GÜNDÜZ wrote:
>
> Hi,
>
> On Fri, 2016-02-19 at 02:03 -0400, Michael Gauthier wrote:
>> The instructions on http://yum.postgresql.org/howtoyum.php for
>> installing the PostgreSQL YUM repository are insecure.
>>
>> You are asking people to download and install the repo RPM package over
>> HTTP. A MITM attack could serve an arbitrary RPM and trick users into
>> installing arbitrary software.
>
> Thanks for the heads up. I updated the links on that page, so that they point
> to https://download.postgresql.org . Does it work for you?
>
> Please let us know if you see more issues with this.
>
> Regards,
>
Hi Devrim,
Thanks for the quick update to use HTTPS! This is indeed much better
than before and works for me.
Cheers,
Mike
From | Date | Subject | |
---|---|---|---|
Next Message | Jehan-Guillaume de Rorthais | 2016-02-22 16:38:45 | Reloading pgbouncer and systemd |
Previous Message | Devrim GÜNDÜZ | 2016-02-19 09:53:38 | Re: PG 9.5 gdal-libs. libpoppler.so.5()(64bit) dependancy issue on Amazon Linux AMI release 2015.09 |