Postgres Pro
Downloads
Home   >   mailing lists

Re: Security lessons from liblzma - Mailing list pgsql-hackers

From Joe Conway
Subject Re: Security lessons from liblzma
Date
Msg-id 3b901431-2859-440a-9e7f-cc7b303fab83@joeconway.com
Whole thread Raw
In response to Re: Security lessons from liblzma  (Bruce Momjian <bruce@momjian.us>)
Responses Re: Security lessons from liblzma
Re: Security lessons from liblzma
List pgsql-hackers
Tree view 
On 3/30/24 21:52, Bruce Momjian wrote:
> On Sat, Mar 30, 2024 at 07:54:00PM -0400, Joe Conway wrote:
>> Virtually every RPM source, including ours, contains out of tree patches
>> that get applied on top of the release tarball. At least for the PGDG
>> packages, it would be nice to integrate them into our git repo as build
>> options or whatever so that the packages could be built without any patches
>> applied to it. Add a tarball that is signed and traceable back to the git
>> tag, and we would be in a much better place than we are now.
> 
> How would someone access the out-of-tree patches?  I think Debian
> includes the patches in its source tarball.

I am saying maybe those patches should be eliminated in favor of our 
tree including build options that would produce the same result.

For example, these patches are applied to our release tarball files when 
the RPM is being built for pg16 on RHEL 9:

-----

https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-rpm-pgsql.patch;h=d9b6d12b7517407ac81352fa325ec91b05587641;hb=HEAD


https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-var-run-socket.patch;h=f2528efaf8f4681754b20283463eff3e14eedd39;hb=HEAD


https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-conf.patch;h=da28ed793232316dd81fdcbbe59a6479b054a364;hb=HEAD


https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-perl-rpath.patch;h=748c42f0ec2c9730af3143e90e5b205c136f40d9;hb=HEAD
-----

Nothing too crazy, but wouldn't it be better if no patches were required 
at all?

Ideally we should have reproducible builds so that starting with our 
tarball (which is traceable back to the git release tag) one can easily 
obtain the same binary as what the RPMs/DEBs deliver.

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

pgsql-hackers by date:

Previous
From: Corey Huinker
Date:
Subject: Re: Statistics Import and Export
Next
From: Marcos Pegoraro
Date:
Subject: [MASSMAIL]Add column name to error description