| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | "pbj(at)cmicdo(dot)com" <pbj(at)cmicdo(dot)com> |
| Cc: | Dave Cramer <davecramer(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Christophe Pettus <xof(at)thebuild(dot)com>, Dave Page <dpage(at)pgadmin(dot)org>, "pgsql-www(at)lists(dot)postgresql(dot)org" <pgsql-www(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Relative security of Community repos and packages |
| Date: | 2021-07-29 20:00:42 |
| Message-ID: | 20210729200042.GH20766@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
Greetings,
* pbj(at)cmicdo(dot)com (pbj(at)cmicdo(dot)com) wrote:
> On Thursday, July 29, 2021, 3:32:33 PM EDT, Dave Cramer <davecramer(at)gmail(dot)com> wrote: > On Thu, 29 Jul 2021 at 15:25, pbj(at)cmicdo(dot)com <pbj(at)cmicdo(dot)com> wrote:
> > On Thursday, July 29, 2021, 11:28:03 AM EDT, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > > > Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > > > > Indeed, that comment didn't seem to help clear things up. I'm guessing Dave
> > > > > is referring to the fact that we have a separate "gitmaster" server, which
> > > > > is also maintained by pginfra and is where committers actually push changes
> > > > > to, and then that is mirrored to git.postgresql.org. I didn't check which
> > > > > repo the tarball building script pulls from (which is run on pginfra, in
> > > > > case anyone is wondering about that) and perhaps it pulls from gitmaster
> > > > > and not git.p.o.
> > > >
> > > > It does pull from gitmaster. There are multiple reasons for this design,
> > > > but one is that a compromise of our public git server wouldn't imperil
> > > > the contents of the official tarballs.
> > >
> > > That doesn't do much for the large number of folks who use
> > > git.postgresql.org or the github mirror though, unfortunately. Signed
> > > commits, on the other hand, would help.
> >
> > A slightly different tack on this question: How quickly would you
> > notice that a rogue RPM had been inserted into the repo and then be
> > able to fix it?
> >
> > By someone other than the trusted RPM builder ?
> Yes.
No idea, it really depends on a lot of factors such as exactly how it
was put in place and when it ends up being reported (and quite possibly
where, for that matter..). We do regularly re-sync from the primary FTP
server to the others, so it would also depend on which system was first
compromised- the build server, the ftp primary server, or one of the
other ftp servers. Also, while the pginfra team has members from a few
different timezones, we certainly don't have anything like 24/7/365
coverage. I'm sure there's things we could do to improve on this, but
we're also a volunteer group and there's only so many hours. We'd be
happy to chat with folks who are interested in helping. :)
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zack | 2021-07-31 23:31:34 | Wiki editor request |
| Previous Message | pbj@cmicdo.com | 2021-07-29 19:39:58 | Re: Relative security of Community repos and packages |