|
|
|
|
|
|
by pdkl95
3741 days ago
|
|
|
> you should be installing packages via your OS's installation mechanism. My OS's install mechanism downloads the source tarball. It does authenticate the download, of course. The point being you don't know what platform someone is using, and the source may be the only way they can install PostgreSQL. > PostgreSQL wants It doesn't matter what they want - if the source is available for download, it will be used. Unauthenticated downloads are an "attractive nuisance" that puts users at risk. The actual download links[1] at www.postgresql.org do use https, but the HTML that contains the download URLs irresponsibly redirects https requests back to http. While the download of the actual source tarball is authenticated, the URL to that download can easily be modified in transit. [1] https://www.postgresql.org/ftp/source/v9.5.1/ |
|
|