| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Dave Cramer <davecramer(at)gmail(dot)com>, Christophe Pettus <xof(at)thebuild(dot)com>, Dave Page <dpage(at)pgadmin(dot)org>, pbj(at)cmicdo(dot)com, "pgsql-www(at)lists(dot)postgresql(dot)org" <pgsql-www(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Relative security of Community repos and packages |
| Date: | 2021-07-29 15:27:58 |
| Message-ID: | 20210729152758.GG20766@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
Greetings,
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > Indeed, that comment didn’t seem to help clear things up. I’m guessing Dave
> > is referring to the fact that we have a separate “gitmaster” server, which
> > is also maintained by pginfra and is where committers actually push changes
> > to, and then that is mirrored to git.postgresql.org. I didn’t check which
> > repo the tarball building script pulls from (which is run on pginfra, in
> > case anyone is wondering about that) and perhaps it pulls from gitmaster
> > and not git.p.o.
>
> It does pull from gitmaster. There are multiple reasons for this design,
> but one is that a compromise of our public git server wouldn't imperil
> the contents of the official tarballs.
That doesn't do much for the large number of folks who use
git.postgresql.org or the github mirror though, unfortunately. Signed
commits, on the other hand, would help.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | pbj@cmicdo.com | 2021-07-29 19:24:08 | Re: Relative security of Community repos and packages |
| Previous Message | Tom Lane | 2021-07-29 14:23:31 | Re: Relative security of Community repos and packages |