From: | Dave Cramer <davecramer(at)gmail(dot)com> |
---|---|
To: | "pbj(at)cmicdo(dot)com" <pbj(at)cmicdo(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, Christophe Pettus <xof(at)thebuild(dot)com>, Dave Page <dpage(at)pgadmin(dot)org>, "pgsql-www(at)lists(dot)postgresql(dot)org" <pgsql-www(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Relative security of Community repos and packages |
Date: | 2021-07-29 19:32:11 |
Message-ID: | CADK3HHKJZruzdUjsDUDVRosUNf5LGTO2CJnE9gsaDo_ghi_L-w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Thu, 29 Jul 2021 at 15:25, pbj(at)cmicdo(dot)com <pbj(at)cmicdo(dot)com> wrote:
>
> On Thursday, July 29, 2021, 11:28:03 AM EDT, Stephen Frost <
> sfrost(at)snowman(dot)net> wrote:
>
> > Greetings,
> >
> > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > > Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > > > Indeed, that comment didn't seem to help clear things up. I'm
> guessing Dave
> > > > is referring to the fact that we have a separate "gitmaster"
> server, which
> > > > is also maintained by pginfra and is where committers actually push
> changes
> > > > to, and then that is mirrored to git.postgresql.org. I didn't
> check which
> > > > repo the tarball building script pulls from (which is run on
> pginfra, in
> > > > case anyone is wondering about that) and perhaps it pulls from
> gitmaster
> > > > and not git.p.o.
> > >
> > > It does pull from gitmaster. There are multiple reasons for this
> design,
> > > but one is that a compromise of our public git server wouldn't imperil
> > > the contents of the official tarballs.
> >
> > That doesn't do much for the large number of folks who use
> > git.postgresql.org or the github mirror though, unfortunately. Signed
> > commits, on the other hand, would help.
>
> A slightly different tack on this question: How quickly would you notice
> that a rogue RPM had been inserted into the repo and then be able to fix it?
>
By someone other than the trusted RPM builder ?
Dave
From | Date | Subject | |
---|---|---|---|
Next Message | pbj@cmicdo.com | 2021-07-29 19:39:58 | Re: Relative security of Community repos and packages |
Previous Message | pbj@cmicdo.com | 2021-07-29 19:24:08 | Re: Relative security of Community repos and packages |