bigsql installer's SSL certificate expired

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

bigsql installer's SSL certificate expired

Andres Freund
Hi,

While looking up wether the bigsql installer still supports 32bit
windows (yes, I feel I need to justify that ;)), I just noticed that the
link from
https://www.postgresql.org/download/windows/
leads to
https://www.bigsql.org/postgresql/installers.jsp/

and that I get an invalid cert warning there. Which seems accurate:

Issued On Wednesday, March 28, 2018 at 5:00:00 PM
Expires On Monday, April 29, 2019 at 5:00:00 AM

So, right now our download page links to something that'll look like a
security issue to many.

The number of issues with the bigsql packages over the last year has
been pretty substantial.

Greetings,

Andres Freund


Reply | Threaded
Open this post in threaded view
|

Re: bigsql installer's SSL certificate expired

Daniel Gustafsson
On Monday, April 29, 2019 8:33 PM, Andres Freund <[hidden email]> wrote:

> Hi,
>
> While looking up wether the bigsql installer still supports 32bit
> windows (yes, I feel I need to justify that ;)), I just noticed that the
> link from
> https://www.postgresql.org/download/windows/
> leads to
> https://www.bigsql.org/postgresql/installers.jsp/
>
> and that I get an invalid cert warning there. Which seems accurate:
>
> Issued On Wednesday, March 28, 2018 at 5:00:00 PM
> Expires On Monday, April 29, 2019 at 5:00:00 AM
>
> So, right now our download page links to something that'll look like a
> security issue to many.

Considering how browsers deal with expired certificates, I am in favour of
temporarily removing the links until the certificate has been updated.

cheers ./daniel


Reply | Threaded
Open this post in threaded view
|

Re: bigsql installer's SSL certificate expired

Jonathan S. Katz-3
On 4/29/19 2:51 PM, Daniel Gustafsson wrote:

> On Monday, April 29, 2019 8:33 PM, Andres Freund <[hidden email]> wrote:
>
>> Hi,
>>
>> While looking up wether the bigsql installer still supports 32bit
>> windows (yes, I feel I need to justify that ;)), I just noticed that the
>> link from
>> https://www.postgresql.org/download/windows/
>> leads to
>> https://www.bigsql.org/postgresql/installers.jsp/
>>
>> and that I get an invalid cert warning there. Which seems accurate:
>>
>> Issued On Wednesday, March 28, 2018 at 5:00:00 PM
>> Expires On Monday, April 29, 2019 at 5:00:00 AM
>>
>> So, right now our download page links to something that'll look like a
>> security issue to many.
Yeah, those are not great optics.

> Considering how browsers deal with expired certificates, I am in favour of
> temporarily removing the links until the certificate has been updated.

I would prefer not to have to go down this path (patch pgweb to hide,
and hopefully then repatch pgweb to not hide) but I'm ok with it if it's
not fixed quickly, per above points.

Jonathan


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: bigsql installer's SSL certificate expired

Jonathan S. Katz-3
On 4/29/19 3:05 PM, Jonathan S. Katz wrote:

> On 4/29/19 2:51 PM, Daniel Gustafsson wrote:
>> On Monday, April 29, 2019 8:33 PM, Andres Freund <[hidden email]> wrote:
>>
>>> Hi,
>>>
>>> While looking up wether the bigsql installer still supports 32bit
>>> windows (yes, I feel I need to justify that ;)), I just noticed that the
>>> link from
>>> https://www.postgresql.org/download/windows/
>>> leads to
>>> https://www.bigsql.org/postgresql/installers.jsp/
>>>
>>> and that I get an invalid cert warning there. Which seems accurate:
>>>
>>> Issued On Wednesday, March 28, 2018 at 5:00:00 PM
>>> Expires On Monday, April 29, 2019 at 5:00:00 AM
>>>
>>> So, right now our download page links to something that'll look like a
>>> security issue to many.
>
> Yeah, those are not great optics.
>
>> Considering how browsers deal with expired certificates, I am in favour of
>> temporarily removing the links until the certificate has been updated.
>
> I would prefer not to have to go down this path (patch pgweb to hide,
> and hopefully then repatch pgweb to not hide) but I'm ok with it if it's
> not fixed quickly, per above points.
Swapping contact info so people can see emails.

Per some off-list conversations, the BigSQL team said they should have
the cert updated by today by 5pm EDT. I'm ok with giving them until then
before disabling the URLs.

I have the patch ready, and will push @ 5 should the cert not be updated.

Thanks,

Jonathan


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: bigsql installer's SSL certificate expired

Andres Freund
Hi,

On 2019-04-29 15:52:54 -0400, Jonathan S. Katz wrote:

> On 4/29/19 3:05 PM, Jonathan S. Katz wrote:
> > On 4/29/19 2:51 PM, Daniel Gustafsson wrote:
> >> On Monday, April 29, 2019 8:33 PM, Andres Freund <[hidden email]> wrote:
> >>> While looking up wether the bigsql installer still supports 32bit
> >>> windows (yes, I feel I need to justify that ;)), I just noticed that the
> >>> link from
> >>> https://www.postgresql.org/download/windows/
> >>> leads to
> >>> https://www.bigsql.org/postgresql/installers.jsp/
> >>>
> >>> and that I get an invalid cert warning there. Which seems accurate:
> >>>
> >>> Issued On Wednesday, March 28, 2018 at 5:00:00 PM
> >>> Expires On Monday, April 29, 2019 at 5:00:00 AM
> >>>
> >>> So, right now our download page links to something that'll look like a
> >>> security issue to many.
> >
> > Yeah, those are not great optics.
> >
> >> Considering how browsers deal with expired certificates, I am in favour of
> >> temporarily removing the links until the certificate has been updated.
> >
> > I would prefer not to have to go down this path (patch pgweb to hide,
> > and hopefully then repatch pgweb to not hide) but I'm ok with it if it's
> > not fixed quickly, per above points.
>
> Swapping contact info so people can see emails.
>
> Per some off-list conversations, the BigSQL team said they should have
> the cert updated by today by 5pm EDT. I'm ok with giving them until then
> before disabling the URLs.

I think BigSQL should also communicate on-list about this.

Greetings,

Andres Freund


Reply | Threaded
Open this post in threaded view
|

Re: bigsql installer's SSL certificate expired

Jonathan S. Katz-3
In reply to this post by Jonathan S. Katz-3
On 4/29/19 3:52 PM, Jonathan S. Katz wrote:

> On 4/29/19 3:05 PM, Jonathan S. Katz wrote:
>> On 4/29/19 2:51 PM, Daniel Gustafsson wrote:
>>> On Monday, April 29, 2019 8:33 PM, Andres Freund <[hidden email]> wrote:
>>>
>>>> Hi,
>>>>
>>>> While looking up wether the bigsql installer still supports 32bit
>>>> windows (yes, I feel I need to justify that ;)), I just noticed that the
>>>> link from
>>>> https://www.postgresql.org/download/windows/
>>>> leads to
>>>> https://www.bigsql.org/postgresql/installers.jsp/
>>>>
>>>> and that I get an invalid cert warning there. Which seems accurate:
>>>>
>>>> Issued On Wednesday, March 28, 2018 at 5:00:00 PM
>>>> Expires On Monday, April 29, 2019 at 5:00:00 AM
>>>>
>>>> So, right now our download page links to something that'll look like a
>>>> security issue to many.
>>
>> Yeah, those are not great optics.
>>
>>> Considering how browsers deal with expired certificates, I am in favour of
>>> temporarily removing the links until the certificate has been updated.
>>
>> I would prefer not to have to go down this path (patch pgweb to hide,
>> and hopefully then repatch pgweb to not hide) but I'm ok with it if it's
>> not fixed quickly, per above points.
>
> Swapping contact info so people can see emails.
>
> Per some off-list conversations, the BigSQL team said they should have
> the cert updated by today by 5pm EDT. I'm ok with giving them until then
> before disabling the URLs.
>
> I have the patch ready, and will push @ 5 should the cert not be updated.
Unfortunately the deadline has not been met, so I have remove the links
for the time being.

Jonathan


signature.asc (849 bytes) Download Attachment