Re: Relative security of Community repos and packages

On Thu, 29 Jul 2021 at 15:25, pbj(at)cmicdo(dot)com <pbj(at)cmicdo(dot)com> wrote:

>
> On Thursday, July 29, 2021, 11:28:03 AM EDT, Stephen Frost <
> sfrost(at)snowman(dot)net> wrote:
>
> > Greetings,
> >
> > * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > > Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > > > Indeed, that comment didn't seem to help clear things up. I'm
> guessing Dave
> > > > is referring to the fact that we have a separate "gitmaster"
> server, which
> > > > is also maintained by pginfra and is where committers actually push
> changes
> > > > to, and then that is mirrored to git.postgresql.org. I didn't
> check which
> > > > repo the tarball building script pulls from (which is run on
> pginfra, in
> > > > case anyone is wondering about that) and perhaps it pulls from
> gitmaster
> > > > and not git.p.o.
> > >
> > > It does pull from gitmaster. There are multiple reasons for this
> design,
> > > but one is that a compromise of our public git server wouldn't imperil
> > > the contents of the official tarballs.
> >
> > That doesn't do much for the large number of folks who use
> > git.postgresql.org or the github mirror though, unfortunately. Signed
> > commits, on the other hand, would help.
>
> A slightly different tack on this question: How quickly would you notice
> that a rogue RPM had been inserted into the repo and then be able to fix it?
>

By someone other than the trusted RPM builder ?

Dave