repack-postgres.sh does not use https

zonkyio / embedded-postgres-binaries

Lightweight bundles of PostgreSQL binaries with reduced size intended for testing purposes.

Apache License 2.0

138 stars 29 forks source link

repack-postgres.sh does not use https #3

Closed josecv closed 4 years ago

josecv commented 5 years ago

The repack-postgres.sh script downloads postgres binaries from http://get.enterprisedb.com, instead of https. This doesn't inspire much confidence in the integrity of the binary I'm running in my machine. Should probably be changed to use https.

tomix26 commented 5 years ago

It is a component intended for testing-only purposes, so I don't think it is a critical issue. Moreover, if someone hacks the target server, using https protocol will not guarantee the security of downloaded data. A safer solution is to check the hash of the downloaded data and compare it with an expected value. Which would make the release process more complicated.