Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1eOjts-0001eA-In
	for pgsql-pkg-yum@arkaria.postgresql.org; Tue, 12 Dec 2017 12:43:08 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1eOjts-0000fj-6T
	for pgsql-pkg-yum@arkaria.postgresql.org; Tue, 12 Dec 2017 12:43:08 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <devrim@gunduz.org>)
	id 1eOjts-0000fa-2G
	for pgsql-pkg-yum@lists.postgresql.org; Tue, 12 Dec 2017 12:43:08 +0000
Received: from ns5.gunduz.org ([107.170.136.15] helo=ns1.gunduz.org)
	by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.89)
	(envelope-from <devrim@gunduz.org>)
	id 1eOjtk-0000ew-Sb
	for pgsql-pkg-yum@lists.postgresql.org; Tue, 12 Dec 2017 12:43:07 +0000
Received: from asus-laptop04.gunduz.org (unknown [78.179.113.26])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ns1.gunduz.org (Postfix) with ESMTPSA id 338793FD2C;
	Tue, 12 Dec 2017 12:42:57 +0000 (UTC)
Message-ID: <1513082574.19931.84.camel@gunduz.org>
Subject: Re: FW: [SECURITY] Missing vendor name in postgresql96 rpms
From: Devrim =?ISO-8859-1?Q?G=FCnd=FCz?= <devrim@gunduz.org>
To: Ziyun Audrey Wang <ziyun.wang@ericsson.com>,
	"pgsql-pkg-yum@lists.postgresql.org"
	 <pgsql-pkg-yum@lists.postgresql.org>
Cc: Thierry Beauquier <thierry.beauquier@ericsson.com>
Date: Tue, 12 Dec 2017 15:42:54 +0300
In-Reply-To: 
 <DB5PR07MB0789241284D8FE8F598199D5E9370@DB5PR07MB0789.eurprd07.prod.outlook.com>
References: 
	<DB5PR07MB0789603CCC14C38CA1B1255CE9300@DB5PR07MB0789.eurprd07.prod.outlook.com>
	 <CABUevEzRmOpgMXRaSjq0TD7nuWAR1xys7f3aYPiA5SM5Z_CG+g@mail.gmail.com>
	 <VI1PR0701MB2590364B8413A0B853EADA9C87300@VI1PR0701MB2590.eurprd07.prod.outlook.com>
	 <CABUevEzvhxh7TRAr9JDSbKR=TURjrOuf+Lj5H0YeMPqxGNHeBQ@mail.gmail.com>
	 <DB5PR07MB0789241284D8FE8F598199D5E9370@DB5PR07MB0789.eurprd07.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha256";
	protocol="application/pgp-signature"; boundary="=-sF1hQPLXJLDzZfuZVC9d"
X-Mailer: Evolution 3.26.2 (3.26.2-1.fc27) 
Mime-Version: 1.0
List-Id: <pgsql-pkg-yum.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-yum@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-yum-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-yum>
Precedence: bulk


--=-sF1hQPLXJLDzZfuZVC9d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable


Hi,

On Mon, 2017-12-11 at 12:57 +0000, Ziyun Audrey Wang wrote:
>=20
> We are using the following postgresql rpms, we download from https://yum.=
post
> gresql.org/9.6/redhat/rhel-6.6-x86_64/
>=20
>  postgresql96-libs-9.6.6-1PGDG.rhel6.x86_64
>=20
> postgresql96-server-9.6.6-1PGDG.rhel6.x86_64
>=20
> postgresql96-9.6.6-1PGDG.rhel6.x86_64
>=20
> postgresql96-contrib-9.6.6-1PGDG.rhel6.x86_64
>=20
> The following rpms does not have any vendor name. It is needed for the SV=
L
> (Software Vendor List)
>=20
> (none),postgresql96,9.6.6
> (none),postgresql96-contrib,9.6.6
> (none),postgresql96-libs,9.6.6
> (none),postgresql96-server,9.6.6
>=20
> rpm -qi postgresql96
> Name : postgresql96 Relocations: (not relocatable)
> Version : 9.6.6 Vendor: (none)

Hmm, this is something that I avoided before, per the packaging guidelines =
--
but it looks like I misinterpreted the guidelines. The packaging guidelines=
 do
not allow using Vendor in the spec file, but we can specify this inside
~/.rpmmacros file.

> Note that as part of our security process, it is needed to report all use=
d
> 3PP in order to be informed automatically of any new vulnerability (CVE) =
.
> The database needs Vendor, Name and Version from the rpm as input and
> actually it is needed to add manually a Vendor for postgresql rpm before
> uploading the information otherwise the upload would failed.

Ok, there are two things here:

* What will we use as the vendor tag? "PostgreSQL Global Development Group"=
 ?
Asked -core about this. I will let you know.

* This requires a rebuild of all packages, which is a non-trivial work. I t=
hink
the best way would be adding %vendor tag to .rpmmmacros on all build server=
s,
and then let it be picked by each new package addition / update. It will ta=
ke a
while, but it will work. The next scheduled release for the PostgreSQL rele=
ases
are Feb 8th.

Regards,

--=20
Devrim G=C3=BCnd=C3=BCz
EnterpriseDB: https://www.enterprisedb.com
PostgreSQL Consultant, Red Hat Certified Engineer
Twitter: @DevrimGunduz , @DevrimGunduzTR
--=-sF1hQPLXJLDzZfuZVC9d
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEH8GKHNUOKtDEiyD22MM9/pLPbrUFAlovzs8ACgkQ2MM9/pLP
brVMxBAAp+Z+cMioAb5sE4kbrYbUH1lzNBiy20UMjgIa1xFgSIsvlug9EJmaRiLA
VO4XVioDgjSx10J1rAg50Jl/dy5/vKOulfGfQnNrUgHZtvoUmcUneDAh7lUjKGlv
lVazUY7jX6Vq9p0czsejeG3aUhkDVomOfC+S8MDeVIkX5WhIkhHLXkDVmNj3bSSX
rRMs7+DBCYBreYrjYepE1s5yMGQqzPfn5xKVzQ9JSEMDTOcY7sgT745BK//j+oaU
gnj0Nw8gmH/rChGX68Srg/0WRZTvB53mIytlpHa8FaCIIuCpVe23iY84baqOPxyH
9T4xFsY3nPEM8ey9ntgmSbVIHmv7HwAXAeeL/rR2hNsJO8GIlzAn+egx7+u2etcv
AigbK0KT9decCDjrHYnlOzxHuSQdKMe3q0UPosn7Tr8wKa7p2cnMiHEKc8x6ARZW
z3Bn+Q3XspeXI09wzJOIPBWrkU+7GJt4hppNpUbzbL5bdnMTRgPEQOVs6rZL4ZZ/
SQ8sWET1XCanbuefVMMjo8tmz06FhpdQByUnY5LWBEqNs8ZpxGgUXTtY96pr9lHN
69lGghTSwl7gKbDeEvgNNT5f5UabBohIgzTjA3eCaw4rvkKmIJXQJii8HSMRVY4L
InvQKE+55bcdlaqeQOIIAjIieScRGet+elWFrjUluo4gsLG0s14=
=qZss
-----END PGP SIGNATURE-----

--=-sF1hQPLXJLDzZfuZVC9d--