On Wed, Jul 28, 2021 at 10:19 PM Stephen Frost <sfrost@snowman.net> wrote:
Greetings,
* Christophe Pettus (xof@thebuild.com) wrote: > > On Jul 28, 2021, at 11:26, pbj@cmicdo.com wrote: > > Currently involved in a discussion about security of Postgres packages from various sources. I'm strongly advocating that we get our packages directly from PGDG. > > > > Would Postgres packages from Red Hat repos (and I guess we could include EDB, 2nd Quadrant, Crunchy...) be considered more secure from being hacked than those from the PGDG repos? > > While I have nothing bad to say about the other repo sources, every other repo (AFAIK) pulls from the community repos, so there's no reason that they would be *more* security than the community sources. The Infra team takes build chain and hosting security very seriously, and I would say that you are as safe with the community repos as you would be with any other source.
This strikes me as a rather confusing way of saying what is going on.
I'll try to clear it up a bit:
As far as I know, everyone pulls initially from the official source repo, as Christophe says above, which is git.postgresql.org,
That is not correct; the official source tarballs are not built from there.
Now you have me curious. Where are they pulled from ? I'm going to guess that we produce a tarball when we release ?
