Re: Relative security of Community repos and packages

Sorry... forgot "Reply-all"

On Thursday, July 29, 2021, 3:32:33 PM EDT, Dave Cramer <davecramer(at)gmail(dot)com> wrote:  > On Thu, 29 Jul 2021 at 15:25, pbj(at)cmicdo(dot)com <pbj(at)cmicdo(dot)com> wrote:
 > On Thursday, July 29, 2021, 11:28:03 AM EDT, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
 >
 > > Greetings,
 > >
 > > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
 > > > Stephen Frost <sfrost(at)snowman(dot)net> writes:
 > > > > Indeed, that comment didn't seem to help clear things up. I'm guessing Dave
 > > > > is referring to the fact that we have a separate "gitmaster" server, which
 > > > > is also maintained by pginfra and is where committers actually push changes
 > > > > to, and then that is mirrored to git.postgresql.org.  I didn't check which
 > > > > repo the tarball building script pulls from (which is run on pginfra, in
 > > > > case anyone is wondering about that) and perhaps it pulls from gitmaster
 > > > > and not git.p.o.
 > > >
 > > > It does pull from gitmaster.  There are multiple reasons for this design,
 > > > but one is that a compromise of our public git server wouldn't imperil
 > > > the contents of the official tarballs.
 > >
 > > That doesn't do much for the large number of folks who use
 > > git.postgresql.org or the github mirror though, unfortunately.  Signed
 > > commits, on the other hand, would help.
 >
 > A slightly different tack on this question:  How quickly would you
 > notice that a rogue RPM had been inserted into the repo and then be
 > able to fix it?
 >
 >
 > By someone other than the trusted RPM builder ?
Yes.