Re: Problem with OpenSCG downloads

On Fri, Aug 17, 2018 at 4:39 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:

> On Thu, Aug 16, 2018 at 09:25:36AM -0700, Andres Freund wrote:
> > On 2018-08-16 16:32:00 +0100, Justin Clift wrote:
> > > On 2018-08-16 16:25, Andres Freund wrote:
> > > > FWIW, I find this pretty damning given that there's been new security
> > > > release for a week: You've added no notes about it to the bigsql
> > > > download page. Pinged nobody, to get the downloadlinks temporarily
> > > > adorned with a warning on the pg site. And then there's the issue
> that
> > > > the dates besides the releases on the download page are referencing
> the
> > > > date of the newest set of minor releases, but aren't actually new.
> > > >
> > > > This is ridiculously intransparent.
> > >
> > > Is it fairly simple for us to just comment out/remove the links for
> now?
> > >
> > > We don't want to be pointing people to software with known security
> issues.
> > >
> > > We can put the links back in when the updated downloads are in place.
> :)
> >
> > Probably don't want to remove them entirely, it might prevent people
> > from upgrading from an even older release with more serious issues. But
> > a red warning seems appropriate.
>
> Agreed. We need to do something _now_, and the fact that we are having
> to discover this instead of OpenSCG telling us is a good reason to
> suspect the use of this download site in the future.
>
> Looking at their website now, does it show they now have the proper
> binaries?
>
> https://www.openscg.com/bigsql/postgresql/installers/
>
> PostgreSQL 10.5 - Stable (09-Aug-18)
>
> postgresql-10.5-win64.exe
> postgresql-10.5-osx64.dmg
>
>
Per the filenames it looks like they do. But the dates are still backdated
on them?

Jim, any confirmation on the status?

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>