From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Andres Freund <andres(at)anarazel(dot)de>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Security lessons from liblzma |
Date: | 2024-03-31 12:15:59 |
Message-ID: | 3b901431-2859-440a-9e7f-cc7b303fab83@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 3/30/24 21:52, Bruce Momjian wrote:
> On Sat, Mar 30, 2024 at 07:54:00PM -0400, Joe Conway wrote:
>> Virtually every RPM source, including ours, contains out of tree patches
>> that get applied on top of the release tarball. At least for the PGDG
>> packages, it would be nice to integrate them into our git repo as build
>> options or whatever so that the packages could be built without any patches
>> applied to it. Add a tarball that is signed and traceable back to the git
>> tag, and we would be in a much better place than we are now.
>
> How would someone access the out-of-tree patches? I think Debian
> includes the patches in its source tarball.
I am saying maybe those patches should be eliminated in favor of our
tree including build options that would produce the same result.
For example, these patches are applied to our release tarball files when
the RPM is being built for pg16 on RHEL 9:
Nothing too crazy, but wouldn't it be better if no patches were required
at all?
Ideally we should have reproducible builds so that starting with our
tarball (which is traceable back to the git release tag) one can easily
obtain the same binary as what the RPMs/DEBs deliver.
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
From | Date | Subject | |
---|---|---|---|
Next Message | Marcos Pegoraro | 2024-03-31 13:22:15 | Add column name to error description |
Previous Message | Corey Huinker | 2024-03-31 11:17:26 | Re: Statistics Import and Export |