> On 1 Apr 2026, at 17:36, Jacob Champion <jacob.champion@enterprisedb.com> wrote:
>
> On Wed, Apr 1, 2026 at 6:58 AM Andres Freund <andres@anarazel.de> wrote:
>> I'm afraid the guy maintaining both IPC::Run [1] and IO::Tty has gone all in on AI
>> authored code. Both IPC::Run and IO::Tty have seen more merges in the last
>> week than in the 5 years before. Stuff getting merged left and right, with
>> failing tests to boot.
>>
>> If I wanted to do a supply chain attack on postgres, this would be the
>> way. Hijack IPC::Run, edit the commits locally on a committers machine before
>> push, to add a backdoor, celebrate.
>
> I did consider locking the exact version of IPC::Run during the NetBSD
> flake debacle [1], but abandoned it after the cross-platform pain... I
> believed signature verification was "good enough" at the time. Should
> we reconsider?
I think it makes sense to pin the versions of these modules, I personally have
them like that on my system to avoid surprises from package upgrades.
--
Daniel Gustafsson
