Re: Relative security of Community repos and packages

Hi

On Wed, Jul 28, 2021 at 10:19 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> Greetings,
>
> * Christophe Pettus (xof(at)thebuild(dot)com) wrote:
> > > On Jul 28, 2021, at 11:26, pbj(at)cmicdo(dot)com wrote:
> > > Currently involved in a discussion about security of Postgres packages
> from various sources. I'm strongly advocating that we get our packages
> directly from PGDG.
> > >
> > > Would Postgres packages from Red Hat repos (and I guess we could
> include EDB, 2nd Quadrant, Crunchy...) be considered more secure from being
> hacked than those from the PGDG repos?
> >
> > While I have nothing bad to say about the other repo sources, every
> other repo (AFAIK) pulls from the community repos, so there's no reason
> that they would be *more* security than the community sources. The Infra
> team takes build chain and hosting security very seriously, and I would say
> that you are as safe with the community repos as you would be with any
> other source.
>
> This strikes me as a rather confusing way of saying what is going on.
>
> I'll try to clear it up a bit:
>
> As far as I know, everyone pulls initially from the official source
> repo, as Christophe says above, which is git.postgresql.org,

That is not correct; the official source tarballs are not built from there.

Dave (also one of the sysadmin team members, as well as a packager)

--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: https://www.enterprisedb.com