Greetings,
* Christophe Pettus (xof@thebuild.com) wrote:
> > On Jul 28, 2021, at 11:26, pbj@cmicdo.com wrote:
> > Currently involved in a discussion about security of Postgres packages from various sources. I'm strongly
advocatingthat we get our packages directly from PGDG.
> >
> > Would Postgres packages from Red Hat repos (and I guess we could include EDB, 2nd Quadrant, Crunchy...) be
consideredmore secure from being hacked than those from the PGDG repos?
>
> While I have nothing bad to say about the other repo sources, every other repo (AFAIK) pulls from the community
repos,so there's no reason that they would be *more* security than the community sources. The Infra team takes build
chainand hosting security very seriously, and I would say that you are as safe with the community repos as you would be
withany other source.
This strikes me as a rather confusing way of saying what is going on.
I'll try to clear it up a bit:
As far as I know, everyone pulls initially from the official source
repo, as Christophe says above, which is git.postgresql.org, which is
maintained by pginfra (a volunteer but trusted group of long time PG
contributors). I'll note that there has been discussion about improving
the security of the git repo through the use of signed commits and such,
but that's clearly not done today as anyone can see.
There are organizations who further review every commit which is made to
that repo too and pull changes into their own git repos to do builds
from.
While the PGDG *binary/package* repos, which are hosted on
ftp.postgresql.org and friends, are maintained by the pginfra team, the
systems where the builds themselves are done are not maintained by
the pginfra team but by other PGDG volunteers. If you're curious about
the security of those build systems, I'd suggest reaching out to the
appropriate mailing lists for the packages you're interested in and
asking there (or perhaps those volunteers will comment here). Those
volunteers are also long time PostgreSQL contributors.
I do know that there are certainly organizations who perform their own
independent builds of PostgreSQL from the vetted and reviewed source
from their own trusted git mirror of the official repo on secured
hardware and then provided those trusted builds to their clients (in
fact, I suspect most of the organizations mentioned above do this..).
If you're curious about the security of packages provided by Red Hat, or
any other organization outside of PGDG, it would likely make sense to
ask them about their policies and approach.
Thanks,
Stephen (one of the pginfra team members, as is Christophe)
