| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
| Cc: | "pbj(at)cmicdo(dot)com" <pbj(at)cmicdo(dot)com>, "pgsql-www(at)lists(dot)postgresql(dot)org" <pgsql-www(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Relative security of Community repos and packages |
| Date: | 2021-07-28 21:02:55 |
| Message-ID: | CA+OCxoyBAML3dN+16_k9Fp-p5=r_-JSJWZEBSNMdf5C=qo_4OA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Wed, 28 Jul 2021 at 19:57, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>
wrote:
> On 7/28/21 11:26 AM, pbj(at)cmicdo(dot)com wrote:
> > I hope this is the right group for this question:
> >
> > Currently involved in a discussion about security of Postgres packages
> > from various sources. I'm strongly advocating that we get our packages
> > directly from PGDG.
> >
> > Would Postgres packages from Red Hat repos (and I guess we could include
> > EDB, 2nd Quadrant, Crunchy...) be considered more secure from being
> > hacked than those from the PGDG repos?
>
> I would think the weak point would be:
>
> https://www.postgresql.org/ftp/source/
>
> as I am pretty sure that is where packagers pull the starting code from.
No that is not the case, at least for community and EDB packages. It might
be the case for upstream distributors though (eg. OS vendors).
>
>
> >
> > Thanks,
> > PJ
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
>
>
> --
--
Dave Page
https://pgsnake.blogspot.com
EDB Postgres
https://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christophe Pettus | 2021-07-28 21:04:02 | Re: Relative security of Community repos and packages |
| Previous Message | Christophe Pettus | 2021-07-28 20:24:59 | Re: Relative security of Community repos and packages |