On Wed, Jul 28, 2021 at 10:19 PM Stephen Frost <sfrost@snowman.net> wrote:
Greetings,
* Christophe Pettus (xof@thebuild.com) wrote: > > On Jul 28, 2021, at 11:26, pbj@cmicdo.com wrote: > > Currently involved in a discussion about security of Postgres packages from various sources. I'm strongly advocating that we get our packages directly from PGDG. > > > > Would Postgres packages from Red Hat repos (and I guess we could include EDB, 2nd Quadrant, Crunchy...) be considered more secure from being hacked than those from the PGDG repos? > > While I have nothing bad to say about the other repo sources, every other repo (AFAIK) pulls from the community repos, so there's no reason that they would be *more* security than the community sources. The Infra team takes build chain and hosting security very seriously, and I would say that you are as safe with the community repos as you would be with any other source.
This strikes me as a rather confusing way of saying what is going on.
I'll try to clear it up a bit:
As far as I know, everyone pulls initially from the official source repo, as Christophe says above, which is git.postgresql.org,
That is not correct; the official source tarballs are not built from there.
Now you have me curious. Where are they pulled from ? I'm going to guess that we produce a tarball when we release ?
Indeed, that comment didn’t seem to help clear things up. I’m guessing Dave is referring to the fact that we have a separate “gitmaster” server, which is also maintained by pginfra and is where committers actually push changes to, and then that is mirrored to git.postgresql.org. I didn’t check which repo the tarball building script pulls from (which is run on pginfra, in case anyone is wondering about that) and perhaps it pulls from gitmaster and not git.p.o.
Not completely relevant when it comes to talking about where the rpm/deb packages are built which is what I understood the original question to be about, but it’s a fair point to make about where the official tarball that ends up on ftp.postgresql.Org comes from, assuming that’s actually what Dave Page was saying. You’d have to ask the PGDG rpm/deb folks as to where they actually pull the source itself from, might be the official tarball or could possibly be the git repo, I’d think. Sounds like Red Hat and perhaps others use the official tarball.
