| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Christophe Pettus <xof(at)thebuild(dot)com> |
| Cc: | Dave Page <dpage(at)pgadmin(dot)org>, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, "pbj(at)cmicdo(dot)com" <pbj(at)cmicdo(dot)com>, "pgsql-www(at)lists(dot)postgresql(dot)org" <pgsql-www(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Relative security of Community repos and packages |
| Date: | 2021-07-28 21:14:00 |
| Message-ID: | 605536.1627506840@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
Christophe Pettus <xof(at)thebuild(dot)com> writes:
>> On Jul 28, 2021, at 14:02, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>> No that is not the case, at least for community and EDB packages. It might be the case for upstream distributors though (eg. OS vendors).
> They all pull from the community Git repo, though, correct?
I do not think Red Hat does that; they prefer identifiable released
tarballs. I've not worked there in nigh ten years, but I still see
this in their PG specfile:
Source0: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}.tar.bz2
and I clearly recall that there were cross-checks in their build process
that tarball components of an SRPM matched what could be fetched from
the stated URL. Maybe now they have a process that works with direct git
pulls, but they're not using that method with us.
Can't speak to non-RH-based distros.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2021-07-28 21:19:02 | Re: Relative security of Community repos and packages |
| Previous Message | Christophe Pettus | 2021-07-28 21:04:02 | Re: Relative security of Community repos and packages |