Обсуждение: FW: [SECURITY] Missing vendor name in postgresql96 rpms
Hello
We are using the following postgresql rpms, we download from https://yum.postgresql.org/9.6/redhat/rhel-6.6-x86_64/
postgresql96-libs-9.6.6-1PGDG.rhel6.x86_64
postgresql96-server-9.6.6-1PGDG.rhel6.x86_64
postgresql96-9.6.6-1PGDG.rhel6.x86_64
postgresql96-contrib-9.6.6-1PGDG.rhel6.x86_64
The following rpms does not have any vendor name. It is needed for the SVL (Software Vendor List)
(none),postgresql96,9.6.6
(none),postgresql96-contrib,9.6.6
(none),postgresql96-libs,9.6.6
(none),postgresql96-server,9.6.6
rpm -qi postgresql96
Name : postgresql96 Relocations: (not relocatable)
Version : 9.6.6 Vendor: (none)
Note that as part of our security process, it is needed to report all used 3PP in order to be informed automatically of any new vulnerability (CVE) . The database needs Vendor, Name and Version from the rpm as input and actually it is needed to add manually a Vendor for postgresql rpm before uploading the information otherwise the upload would failed.
Thanks!
Best Regards
Audrey
Hi, On Mon, 2017-12-11 at 12:57 +0000, Ziyun Audrey Wang wrote: > > We are using the following postgresql rpms, we download from https://yum.post > gresql.org/9.6/redhat/rhel-6.6-x86_64/ > > postgresql96-libs-9.6.6-1PGDG.rhel6.x86_64 > > postgresql96-server-9.6.6-1PGDG.rhel6.x86_64 > > postgresql96-9.6.6-1PGDG.rhel6.x86_64 > > postgresql96-contrib-9.6.6-1PGDG.rhel6.x86_64 > > The following rpms does not have any vendor name. It is needed for the SVL > (Software Vendor List) > > (none),postgresql96,9.6.6 > (none),postgresql96-contrib,9.6.6 > (none),postgresql96-libs,9.6.6 > (none),postgresql96-server,9.6.6 > > rpm -qi postgresql96 > Name : postgresql96 Relocations: (not relocatable) > Version : 9.6.6 Vendor: (none) Hmm, this is something that I avoided before, per the packaging guidelines -- but it looks like I misinterpreted the guidelines. The packaging guidelines do not allow using Vendor in the spec file, but we can specify this inside ~/.rpmmacros file. > Note that as part of our security process, it is needed to report all used > 3PP in order to be informed automatically of any new vulnerability (CVE) . > The database needs Vendor, Name and Version from the rpm as input and > actually it is needed to add manually a Vendor for postgresql rpm before > uploading the information otherwise the upload would failed. Ok, there are two things here: * What will we use as the vendor tag? "PostgreSQL Global Development Group" ? Asked -core about this. I will let you know. * This requires a rebuild of all packages, which is a non-trivial work. I think the best way would be adding %vendor tag to .rpmmmacros on all build servers, and then let it be picked by each new package addition / update. It will take a while, but it will work. The next scheduled release for the PostgreSQL releases are Feb 8th. Regards, -- Devrim Gündüz EnterpriseDB: https://www.enterprisedb.com PostgreSQL Consultant, Red Hat Certified Engineer Twitter: @DevrimGunduz , @DevrimGunduzTR