On Thursday, July 29, 2021, 11:28:03 AM EDT, Stephen Frost <sfrost@snowman.net> wrote:
> Greetings, > > * Tom Lane (tgl@sss.pgh.pa.us) wrote: > > Stephen Frost <sfrost@snowman.net> writes: > > > Indeed, that comment didn't seem to help clear things up. I'm guessing Dave > > > is referring to the fact that we have a separate "gitmaster" server, which > > > is also maintained by pginfra and is where committers actually push changes > > > to, and then that is mirrored to git.postgresql.org. I didn't check which > > > repo the tarball building script pulls from (which is run on pginfra, in > > > case anyone is wondering about that) and perhaps it pulls from gitmaster > > > and not git.p.o. > > > > It does pull from gitmaster. There are multiple reasons for this design, > > but one is that a compromise of our public git server wouldn't imperil > > the contents of the official tarballs. > > That doesn't do much for the large number of folks who use > git.postgresql.org or the github mirror though, unfortunately. Signed > commits, on the other hand, would help.
A slightly different tack on this question: How quickly would you notice that a rogue RPM had been inserted into the repo and then be able to fix it?