Re: Relative security of Community repos and packages
| От | Stephen Frost |
|---|---|
| Тема | Re: Relative security of Community repos and packages |
| Дата | |
| Msg-id | 20210728211902.GD20766@tamriel.snowman.net обсуждение исходный текст |
| Ответ на | Re: Relative security of Community repos and packages (Christophe Pettus <xof@thebuild.com>) |
| Ответы |
Re: Relative security of Community repos and packages
|
| Список | pgsql-www |
Greetings, * Christophe Pettus (xof@thebuild.com) wrote: > > On Jul 28, 2021, at 11:26, pbj@cmicdo.com wrote: > > Currently involved in a discussion about security of Postgres packages from various sources. I'm strongly advocatingthat we get our packages directly from PGDG. > > > > Would Postgres packages from Red Hat repos (and I guess we could include EDB, 2nd Quadrant, Crunchy...) be consideredmore secure from being hacked than those from the PGDG repos? > > While I have nothing bad to say about the other repo sources, every other repo (AFAIK) pulls from the community repos,so there's no reason that they would be *more* security than the community sources. The Infra team takes build chainand hosting security very seriously, and I would say that you are as safe with the community repos as you would be withany other source. This strikes me as a rather confusing way of saying what is going on. I'll try to clear it up a bit: As far as I know, everyone pulls initially from the official source repo, as Christophe says above, which is git.postgresql.org, which is maintained by pginfra (a volunteer but trusted group of long time PG contributors). I'll note that there has been discussion about improving the security of the git repo through the use of signed commits and such, but that's clearly not done today as anyone can see. There are organizations who further review every commit which is made to that repo too and pull changes into their own git repos to do builds from. While the PGDG *binary/package* repos, which are hosted on ftp.postgresql.org and friends, are maintained by the pginfra team, the systems where the builds themselves are done are not maintained by the pginfra team but by other PGDG volunteers. If you're curious about the security of those build systems, I'd suggest reaching out to the appropriate mailing lists for the packages you're interested in and asking there (or perhaps those volunteers will comment here). Those volunteers are also long time PostgreSQL contributors. I do know that there are certainly organizations who perform their own independent builds of PostgreSQL from the vetted and reviewed source from their own trusted git mirror of the official repo on secured hardware and then provided those trusted builds to their clients (in fact, I suspect most of the organizations mentioned above do this..). If you're curious about the security of packages provided by Red Hat, or any other organization outside of PGDG, it would likely make sense to ask them about their policies and approach. Thanks, Stephen (one of the pginfra team members, as is Christophe)
Вложения
В списке pgsql-www по дате отправления: