SSL and the Postgres buildfarm
| От | Tom Lane |
|---|---|
| Тема | SSL and the Postgres buildfarm |
| Дата | |
| Msg-id | 651118.1634137028@sss.pgh.pa.us обсуждение исходный текст |
| Список | buildfarm-members |
Probably many of you have heard about the recent issues with
SSL certificates issued by Let's Encrypt. All postgresql.org
websites use Let's Encrypt certificates, so we were affected
too, and particularly the buildfarm. The PG web and security
teams have been working on this, and we've now largely restored
things to normal, but there are still a few animals that look
like they may need manual updates.
The main thing to check here, if you are using https: URLs for
either the buildfarm server or the git repo, is that your system's
trust store must contain the "ISRG Root X1" root certificate that
Let's Encrypt certs now trace back to. Any system that's received
software updates in the last few years should be fine; but if you're
maintaining a legacy system to run a buildfarm animal on, you may
need to update its certificate list by hand. If your animal seems
not to have built anything since the end of September, you likely
have something to do here.
While we're here, we (the security team) would like to bend your
ears for a bit about using secure SSL connections for your
buildfarm animals. We noticed that there are a number of machines
that look to be using non-encrypted "git:" or "http:" URLs to
fetch the Postgres code tree. We think this is not very desirable,
because a man-in-the-middle attack could inject arbitrary code to
be run by your buildfarm machine. Admittedly the risk of that is
not huge, but it's a lot safer to use an https: URL for the upstream
git repo if you can (there might be a few very old systems that
can't). There are two things to check here:
1. Does your git repo currently use an https: remote URL?
Check with
git --git-dir=FARMDIR/pgmirror.git remote -v
If you see
origin https://git.postgresql.org/git/postgresql.git (fetch)
origin https://git.postgresql.org/git/postgresql.git (push)
then all is well. If you don't, you can fix it with
git --git-dir=FARMDIR/pgmirror.git remote set-url origin https://git.postgresql.org/git/postgresql.git
But you might first want to verify that that'll work, say by trying
git clone https://git.postgresql.org/git/postgresql.git junkdir
(You don't have to wait for that to complete, just see if it starts
to fetch data, then kill it.)
2. Is your buildfarm animal configured to use the https: URL if it
ever has to rebuild the git repo in future? Check the "scmrepo"
setting in the animal's configuration file. Best practice is to
leave it set to "undef" so that the default URL will be used, but
you could also specify https://git.postgresql.org/git/postgresql.git
explicitly.
Note: some machines are configured so that the buildfarm's "upstream"
git repo is local, in which case the question to ask is how that repo
is fetching from postgresql.org. Also, if you prefer to fetch from
the github mirror, that's fine ... but use an https: URL.
Secondarily, assuming you have working https: support, we recommend
making sure that the buildfarm animal's configuration uses https:
URLs for its "target" and "upgrade_target" settings. These are far
less security-critical than the git URL, but it still seems worth
updating them while you're at it.
regards, tom lane
В списке buildfarm-members по дате отправления: