Обсуждение: bigsql installer's SSL certificate expired
Hi, While looking up wether the bigsql installer still supports 32bit windows (yes, I feel I need to justify that ;)), I just noticed that the link from https://www.postgresql.org/download/windows/ leads to https://www.bigsql.org/postgresql/installers.jsp/ and that I get an invalid cert warning there. Which seems accurate: Issued On Wednesday, March 28, 2018 at 5:00:00 PM Expires On Monday, April 29, 2019 at 5:00:00 AM So, right now our download page links to something that'll look like a security issue to many. The number of issues with the bigsql packages over the last year has been pretty substantial. Greetings, Andres Freund
On Monday, April 29, 2019 8:33 PM, Andres Freund <andres@anarazel.de> wrote: > Hi, > > While looking up wether the bigsql installer still supports 32bit > windows (yes, I feel I need to justify that ;)), I just noticed that the > link from > https://www.postgresql.org/download/windows/ > leads to > https://www.bigsql.org/postgresql/installers.jsp/ > > and that I get an invalid cert warning there. Which seems accurate: > > Issued On Wednesday, March 28, 2018 at 5:00:00 PM > Expires On Monday, April 29, 2019 at 5:00:00 AM > > So, right now our download page links to something that'll look like a > security issue to many. Considering how browsers deal with expired certificates, I am in favour of temporarily removing the links until the certificate has been updated. cheers ./daniel
On 4/29/19 2:51 PM, Daniel Gustafsson wrote: > On Monday, April 29, 2019 8:33 PM, Andres Freund <andres@anarazel.de> wrote: > >> Hi, >> >> While looking up wether the bigsql installer still supports 32bit >> windows (yes, I feel I need to justify that ;)), I just noticed that the >> link from >> https://www.postgresql.org/download/windows/ >> leads to >> https://www.bigsql.org/postgresql/installers.jsp/ >> >> and that I get an invalid cert warning there. Which seems accurate: >> >> Issued On Wednesday, March 28, 2018 at 5:00:00 PM >> Expires On Monday, April 29, 2019 at 5:00:00 AM >> >> So, right now our download page links to something that'll look like a >> security issue to many. Yeah, those are not great optics. > Considering how browsers deal with expired certificates, I am in favour of > temporarily removing the links until the certificate has been updated. I would prefer not to have to go down this path (patch pgweb to hide, and hopefully then repatch pgweb to not hide) but I'm ok with it if it's not fixed quickly, per above points. Jonathan
Вложения
On 4/29/19 3:05 PM, Jonathan S. Katz wrote: > On 4/29/19 2:51 PM, Daniel Gustafsson wrote: >> On Monday, April 29, 2019 8:33 PM, Andres Freund <andres@anarazel.de> wrote: >> >>> Hi, >>> >>> While looking up wether the bigsql installer still supports 32bit >>> windows (yes, I feel I need to justify that ;)), I just noticed that the >>> link from >>> https://www.postgresql.org/download/windows/ >>> leads to >>> https://www.bigsql.org/postgresql/installers.jsp/ >>> >>> and that I get an invalid cert warning there. Which seems accurate: >>> >>> Issued On Wednesday, March 28, 2018 at 5:00:00 PM >>> Expires On Monday, April 29, 2019 at 5:00:00 AM >>> >>> So, right now our download page links to something that'll look like a >>> security issue to many. > > Yeah, those are not great optics. > >> Considering how browsers deal with expired certificates, I am in favour of >> temporarily removing the links until the certificate has been updated. > > I would prefer not to have to go down this path (patch pgweb to hide, > and hopefully then repatch pgweb to not hide) but I'm ok with it if it's > not fixed quickly, per above points. Swapping contact info so people can see emails. Per some off-list conversations, the BigSQL team said they should have the cert updated by today by 5pm EDT. I'm ok with giving them until then before disabling the URLs. I have the patch ready, and will push @ 5 should the cert not be updated. Thanks, Jonathan
Вложения
Hi, On 2019-04-29 15:52:54 -0400, Jonathan S. Katz wrote: > On 4/29/19 3:05 PM, Jonathan S. Katz wrote: > > On 4/29/19 2:51 PM, Daniel Gustafsson wrote: > >> On Monday, April 29, 2019 8:33 PM, Andres Freund <andres@anarazel.de> wrote: > >>> While looking up wether the bigsql installer still supports 32bit > >>> windows (yes, I feel I need to justify that ;)), I just noticed that the > >>> link from > >>> https://www.postgresql.org/download/windows/ > >>> leads to > >>> https://www.bigsql.org/postgresql/installers.jsp/ > >>> > >>> and that I get an invalid cert warning there. Which seems accurate: > >>> > >>> Issued On Wednesday, March 28, 2018 at 5:00:00 PM > >>> Expires On Monday, April 29, 2019 at 5:00:00 AM > >>> > >>> So, right now our download page links to something that'll look like a > >>> security issue to many. > > > > Yeah, those are not great optics. > > > >> Considering how browsers deal with expired certificates, I am in favour of > >> temporarily removing the links until the certificate has been updated. > > > > I would prefer not to have to go down this path (patch pgweb to hide, > > and hopefully then repatch pgweb to not hide) but I'm ok with it if it's > > not fixed quickly, per above points. > > Swapping contact info so people can see emails. > > Per some off-list conversations, the BigSQL team said they should have > the cert updated by today by 5pm EDT. I'm ok with giving them until then > before disabling the URLs. I think BigSQL should also communicate on-list about this. Greetings, Andres Freund
On 4/29/19 3:52 PM, Jonathan S. Katz wrote: > On 4/29/19 3:05 PM, Jonathan S. Katz wrote: >> On 4/29/19 2:51 PM, Daniel Gustafsson wrote: >>> On Monday, April 29, 2019 8:33 PM, Andres Freund <andres@anarazel.de> wrote: >>> >>>> Hi, >>>> >>>> While looking up wether the bigsql installer still supports 32bit >>>> windows (yes, I feel I need to justify that ;)), I just noticed that the >>>> link from >>>> https://www.postgresql.org/download/windows/ >>>> leads to >>>> https://www.bigsql.org/postgresql/installers.jsp/ >>>> >>>> and that I get an invalid cert warning there. Which seems accurate: >>>> >>>> Issued On Wednesday, March 28, 2018 at 5:00:00 PM >>>> Expires On Monday, April 29, 2019 at 5:00:00 AM >>>> >>>> So, right now our download page links to something that'll look like a >>>> security issue to many. >> >> Yeah, those are not great optics. >> >>> Considering how browsers deal with expired certificates, I am in favour of >>> temporarily removing the links until the certificate has been updated. >> >> I would prefer not to have to go down this path (patch pgweb to hide, >> and hopefully then repatch pgweb to not hide) but I'm ok with it if it's >> not fixed quickly, per above points. > > Swapping contact info so people can see emails. > > Per some off-list conversations, the BigSQL team said they should have > the cert updated by today by 5pm EDT. I'm ok with giving them until then > before disabling the URLs. > > I have the patch ready, and will push @ 5 should the cert not be updated. Unfortunately the deadline has not been met, so I have remove the links for the time being. Jonathan