From: | Dave Cramer <davecramer(at)gmail(dot)com> |
---|---|
To: | Dave Page <dpage(at)pgadmin(dot)org> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Christophe Pettus <xof(at)thebuild(dot)com>, pbj(at)cmicdo(dot)com, "pgsql-www(at)lists(dot)postgresql(dot)org" <pgsql-www(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Relative security of Community repos and packages |
Date: | 2021-07-29 11:38:07 |
Message-ID: | CADK3HHLy6b43PpGACZmuBQQYBC8TwtRQuO4Mwqe4=SezNE7fJA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Thu, 29 Jul 2021 at 04:20, Dave Page <dpage(at)pgadmin(dot)org> wrote:
> Hi
>
> On Wed, Jul 28, 2021 at 10:19 PM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
>> Greetings,
>>
>> * Christophe Pettus (xof(at)thebuild(dot)com) wrote:
>> > > On Jul 28, 2021, at 11:26, pbj(at)cmicdo(dot)com wrote:
>> > > Currently involved in a discussion about security of Postgres
>> packages from various sources. I'm strongly advocating that we get our
>> packages directly from PGDG.
>> > >
>> > > Would Postgres packages from Red Hat repos (and I guess we could
>> include EDB, 2nd Quadrant, Crunchy...) be considered more secure from being
>> hacked than those from the PGDG repos?
>> >
>> > While I have nothing bad to say about the other repo sources, every
>> other repo (AFAIK) pulls from the community repos, so there's no reason
>> that they would be *more* security than the community sources. The Infra
>> team takes build chain and hosting security very seriously, and I would say
>> that you are as safe with the community repos as you would be with any
>> other source.
>>
>> This strikes me as a rather confusing way of saying what is going on.
>>
>> I'll try to clear it up a bit:
>>
>> As far as I know, everyone pulls initially from the official source
>> repo, as Christophe says above, which is git.postgresql.org,
>
>
> That is not correct; the official source tarballs are not built from there.
>
Now you have me curious. Where are they pulled from ? I'm going to guess
that we produce a tarball when we release ?
Dave Cramer
>
>
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2021-07-29 11:56:55 | Re: Relative security of Community repos and packages |
Previous Message | Dave Page | 2021-07-29 08:20:06 | Re: Relative security of Community repos and packages |