On 9 July 2012 13:05, Dave Page <dpage@pgadmin.org> wrote:
> Right - that's more or less what's been discussed and agreed. The
> issue with the installers that Magnus raised, is that at present I
> manually push the canonical GIT repo to git.postgresql.org, and often
> forget to do it until reminded. That was raised in response to my
> comment that the OpenSCG build scripts are not currently public at all
> as far as I could see, and should be if their work is to be listed on
> postgresql.org's primary downloads page.
It's not more or less. What you have said is not the same thing as I
have requested.
If it was done as I suggest, when you forget a step in the process
then the process would fail.
If you build from the public repo then you simply can't forget.
>> Unverifiable binaries are a quality and security risk to the project.
>
> In theory. In practice it seems unlikely anyone would ever take the
> time and energy to build them themselves and actually verify them -
> the effort to do so would be huge (for example, assembling the 9.2
> build machine for the installers and building all the necessary
> dependencies for all the supported platforms etc. has so far taken a
> number of man weeks). To verify the binaries we put out, someone would
> have to build an exact mirror of that environment. That's not to say
> it shouldn't be possible of course. In fact, it wouldn't even be
> possible, as we digitally sign some of the executables to appease
> Windows, and we obviously cannot share that certificate.
I know multiple users (aside from 2ndQuadrant) that re-build their own
binaries as a safety barrier in their release process, so I don't
believe the effort level is that high, nor do I believe people won't
do it. I take your point that it is maybe only 1% of people, but those
are the ones that report all the bugs.
The most important thing is that people can see the ingredients before
they eat the food.
-- Simon Riggs http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
