Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5212F9C2.8090408@moritz-naumann.com>
Date: Tue, 20 Aug 2013 05:08:18 +0000
From: Moritz Naumann <info@...itz-naumann.com>
To: oss-security@...ts.openwall.com
Subject: Re: PostgreSQL insecure install via yum (multiple
 problems)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Eric H. Christensen:
> On Mon, Aug 19, 2013 at 06:58:22PM -0600, Kurt Seifried wrote:
>> Signing RPM's isn't very useful if you never make the signing
>> key available!
> 
> You mean like this: 
> http://keys.fedoraproject.org/pks/lookup?search=0x442df0f8&op=vindex

Still
> 
plain HTTP there (on a somewhat unrelated site), also:
* short key ID (no fingerprint) listed on http://yum.postgresql.org
* DSA-1 key: 3 don'ts in a row.

The situation is a bit better for the APT repository:
http://wiki.postgresql.org/wiki/Apt

* 4096-bit RSA key
* instructs to download key from same site - using plain http
  (but HTTPS is available - GoDaddy CA domain control validated)
* (short key ID used in documentation only)

In contrary to the Yum repository signing key this OpenPGP key is
signed by someone else, notably a Debian developer, so verifying it
via the web of trust / strong set /may/ succeed.

Maybe a new policy document would solve it...
http://wiki.postgresql.org/wiki/Policies
http://wiki.postgresql.org/wiki/ReleasePrep

This said, I'm glad that the Postgresql Global Development Group do
provide us with these repositories.

Moritz
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJSEvmxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMEEwRkYzMTUwODdEMEUzQkU0QzVGMkVC
RDk2RUNBRDkzNDUwMEIwAAoJEL2W7K2TRQCwibgQAM/0KPyoqBjaFsmxWo9TrLOz
1IWUs1Y2ww2n3dqy0qwqhBk4o6NsdpRQ0phkqW33H1PxyhYSeq2HvgHf4L16DQ31
mmkaO72v5hO1EjfXNzmeODe1EXpJP91bwSPIbW31p1rOjDBJVcY6sEGeu+GC+tqt
/BaBBO27F/4yoK1U4XIiRDoItjojW92eBoe8UEhu2Ds3GG1/mZ0APj04cq0ruWZw
SWXuuUh+Q/Un27TwTCKsTH1BwSMh4PxxSfXNMnCVT5YzjSWuNq6CRe27FSZOGH+e
28LQYbLKnr9w2Kx0+MCMGihOPmbvAxAaaiVvIvWpLIiNkIyxR86HNMmPB5w8f86K
W97VSCUahN0F0PKefMatCMvKpXL6LqZ6eVxJgBAEUfavj69TBgCF0ORjNtKlFuy9
BHB1pAHYB+/Jj+0K6Ox/hdZnJE9k/VGw2/5tQHyo4dZQbifIYBymcnAszESR7U2H
fLjFCmkLsxdq1/uvirjljscYYyIGWnDdAYURfXQgDslG4uRAOBH/JUJqN/NnAHra
4k4R5DejSmbipeR2QUJoKVvyGVChYrBt2lnzmXk7JYhohPQ2+6kUCU1e/FwNNFVI
s4+9S4BfXEKHkruiKXLSH0DxR88HrV0aokU6eg1OsRB6+evRjjtVzPSfK36KfcPD
cF456FKI6+Q44uc2qp2z
=mzCS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.