Re: Relative security of Community repos and packages

Greetings,

On Thu, Jul 29, 2021 at 07:38 Dave Cramer <davecramer(at)gmail(dot)com> wrote:

> On Thu, 29 Jul 2021 at 04:20, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> On Wed, Jul 28, 2021 at 10:19 PM Stephen Frost <sfrost(at)snowman(dot)net>
>> wrote:
>>
>>> Greetings,
>>>
>>> * Christophe Pettus (xof(at)thebuild(dot)com) wrote:
>>> > > On Jul 28, 2021, at 11:26, pbj(at)cmicdo(dot)com wrote:
>>> > > Currently involved in a discussion about security of Postgres
>>> packages from various sources. I'm strongly advocating that we get our
>>> packages directly from PGDG.
>>> > >
>>> > > Would Postgres packages from Red Hat repos (and I guess we could
>>> include EDB, 2nd Quadrant, Crunchy...) be considered more secure from being
>>> hacked than those from the PGDG repos?
>>> >
>>> > While I have nothing bad to say about the other repo sources, every
>>> other repo (AFAIK) pulls from the community repos, so there's no reason
>>> that they would be *more* security than the community sources. The Infra
>>> team takes build chain and hosting security very seriously, and I would say
>>> that you are as safe with the community repos as you would be with any
>>> other source.
>>>
>>> This strikes me as a rather confusing way of saying what is going on.
>>>
>>> I'll try to clear it up a bit:
>>>
>>> As far as I know, everyone pulls initially from the official source
>>> repo, as Christophe says above, which is git.postgresql.org,
>>
>>
>> That is not correct; the official source tarballs are not built from
>> there.
>>
>
> Now you have me curious. Where are they pulled from ? I'm going to guess
> that we produce a tarball when we release ?
>

Indeed, that comment didn’t seem to help clear things up. I’m guessing Dave
is referring to the fact that we have a separate “gitmaster” server, which
is also maintained by pginfra and is where committers actually push changes
to, and then that is mirrored to git.postgresql.org. I didn’t check which
repo the tarball building script pulls from (which is run on pginfra, in
case anyone is wondering about that) and perhaps it pulls from gitmaster
and not git.p.o.

Not completely relevant when it comes to talking about where the rpm/deb
packages are built which is what I understood the original question to be
about, but it’s a fair point to make about where the official tarball that
ends up on ftp.postgresql.Org comes from, assuming that’s actually what
Dave Page was saying. You’d have to ask the PGDG rpm/deb folks as to where
they actually pull the source itself from, might be the official tarball or
could possibly be the git repo, I’d think. Sounds like Red Hat and perhaps
others use the official tarball.

Thanks,

Stephen

>