Thread: FW: [SECURITY] Missing vendor name in postgresql96 rpms

Hi,

On Mon, 2017-12-11 at 12:57 +0000, Ziyun Audrey Wang wrote:
>
> We are using the following postgresql rpms, we download from https://yum.post
> gresql.org/9.6/redhat/rhel-6.6-x86_64/
>
>  postgresql96-libs-9.6.6-1PGDG.rhel6.x86_64
>
> postgresql96-server-9.6.6-1PGDG.rhel6.x86_64
>
> postgresql96-9.6.6-1PGDG.rhel6.x86_64
>
> postgresql96-contrib-9.6.6-1PGDG.rhel6.x86_64
>
> The following rpms does not have any vendor name. It is needed for the SVL
> (Software Vendor List)
>
> (none),postgresql96,9.6.6
> (none),postgresql96-contrib,9.6.6
> (none),postgresql96-libs,9.6.6
> (none),postgresql96-server,9.6.6
>
> rpm -qi postgresql96
> Name : postgresql96 Relocations: (not relocatable)
> Version : 9.6.6 Vendor: (none)

Hmm, this is something that I avoided before, per the packaging guidelines --
but it looks like I misinterpreted the guidelines. The packaging guidelines do
not allow using Vendor in the spec file, but we can specify this inside
~/.rpmmacros file.

> Note that as part of our security process, it is needed to report all used
> 3PP in order to be informed automatically of any new vulnerability (CVE) .
> The database needs Vendor, Name and Version from the rpm as input and
> actually it is needed to add manually a Vendor for postgresql rpm before
> uploading the information otherwise the upload would failed.

Ok, there are two things here:

* What will we use as the vendor tag? "PostgreSQL Global Development Group" ?
Asked -core about this. I will let you know.

* This requires a rebuild of all packages, which is a non-trivial work. I think
the best way would be adding %vendor tag to .rpmmmacros on all build servers,
and then let it be picked by each new package addition / update. It will take a
while, but it will work. The next scheduled release for the PostgreSQL releases
are Feb 8th.

Regards,

--
Devrim Gündüz
EnterpriseDB: https://www.enterprisedb.com
PostgreSQL Consultant, Red Hat Certified Engineer
Twitter: @DevrimGunduz , @DevrimGunduzTR