SSL and the Postgres buildfarm
От | Tom Lane |
---|---|
Тема | SSL and the Postgres buildfarm |
Дата | |
Msg-id | 651118.1634137028@sss.pgh.pa.us обсуждение исходный текст |
Список | buildfarm-members |
Probably many of you have heard about the recent issues with SSL certificates issued by Let's Encrypt. All postgresql.org websites use Let's Encrypt certificates, so we were affected too, and particularly the buildfarm. The PG web and security teams have been working on this, and we've now largely restored things to normal, but there are still a few animals that look like they may need manual updates. The main thing to check here, if you are using https: URLs for either the buildfarm server or the git repo, is that your system's trust store must contain the "ISRG Root X1" root certificate that Let's Encrypt certs now trace back to. Any system that's received software updates in the last few years should be fine; but if you're maintaining a legacy system to run a buildfarm animal on, you may need to update its certificate list by hand. If your animal seems not to have built anything since the end of September, you likely have something to do here. While we're here, we (the security team) would like to bend your ears for a bit about using secure SSL connections for your buildfarm animals. We noticed that there are a number of machines that look to be using non-encrypted "git:" or "http:" URLs to fetch the Postgres code tree. We think this is not very desirable, because a man-in-the-middle attack could inject arbitrary code to be run by your buildfarm machine. Admittedly the risk of that is not huge, but it's a lot safer to use an https: URL for the upstream git repo if you can (there might be a few very old systems that can't). There are two things to check here: 1. Does your git repo currently use an https: remote URL? Check with git --git-dir=FARMDIR/pgmirror.git remote -v If you see origin https://git.postgresql.org/git/postgresql.git (fetch) origin https://git.postgresql.org/git/postgresql.git (push) then all is well. If you don't, you can fix it with git --git-dir=FARMDIR/pgmirror.git remote set-url origin https://git.postgresql.org/git/postgresql.git But you might first want to verify that that'll work, say by trying git clone https://git.postgresql.org/git/postgresql.git junkdir (You don't have to wait for that to complete, just see if it starts to fetch data, then kill it.) 2. Is your buildfarm animal configured to use the https: URL if it ever has to rebuild the git repo in future? Check the "scmrepo" setting in the animal's configuration file. Best practice is to leave it set to "undef" so that the default URL will be used, but you could also specify https://git.postgresql.org/git/postgresql.git explicitly. Note: some machines are configured so that the buildfarm's "upstream" git repo is local, in which case the question to ask is how that repo is fetching from postgresql.org. Also, if you prefer to fetch from the github mirror, that's fine ... but use an https: URL. Secondarily, assuming you have working https: support, we recommend making sure that the buildfarm animal's configuration uses https: URLs for its "target" and "upgrade_target" settings. These are far less security-critical than the git URL, but it still seems worth updating them while you're at it. regards, tom lane
В списке buildfarm-members по дате отправления: