From: | "pbj(at)cmicdo(dot)com" <pbj(at)cmicdo(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Dave Cramer <davecramer(at)gmail(dot)com>, Christophe Pettus <xof(at)thebuild(dot)com>, Dave Page <dpage(at)pgadmin(dot)org>, "pgsql-www(at)lists(dot)postgresql(dot)org" <pgsql-www(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Relative security of Community repos and packages |
Date: | 2021-07-29 19:24:08 |
Message-ID: | 1188480133.601550.1627586648289@mail.yahoo.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Thursday, July 29, 2021, 11:28:03 AM EDT, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Greetings,
>
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > > Indeed, that comment didn't seem to help clear things up. I'm guessing Dave
> > > is referring to the fact that we have a separate "gitmaster" server, which
> > > is also maintained by pginfra and is where committers actually push changes
> > > to, and then that is mirrored to git.postgresql.org. I didn't check which
> > > repo the tarball building script pulls from (which is run on pginfra, in
> > > case anyone is wondering about that) and perhaps it pulls from gitmaster
> > > and not git.p.o.
> >
> > It does pull from gitmaster. There are multiple reasons for this design,
> > but one is that a compromise of our public git server wouldn't imperil
> > the contents of the official tarballs.
>
> That doesn't do much for the large number of folks who use
> git.postgresql.org or the github mirror though, unfortunately. Signed
> commits, on the other hand, would help.
A slightly different tack on this question: How quickly would you notice that a rogue RPM had been inserted into the repo and then be able to fix it?
I very much appreciate everyone's input!
PJ
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Cramer | 2021-07-29 19:32:11 | Re: Relative security of Community repos and packages |
Previous Message | Stephen Frost | 2021-07-29 15:27:58 | Re: Relative security of Community repos and packages |