Re: Relative security of Community repos and packages
| От | Stephen Frost |
|---|---|
| Тема | Re: Relative security of Community repos and packages |
| Дата | |
| Msg-id | 20210729200042.GH20766@tamriel.snowman.net обсуждение исходный текст |
| Ответ на | Re: Relative security of Community repos and packages ("pbj@cmicdo.com" <pbj@cmicdo.com>) |
| Список | pgsql-www |
Greetings, * pbj@cmicdo.com (pbj@cmicdo.com) wrote: > On Thursday, July 29, 2021, 3:32:33 PM EDT, Dave Cramer <davecramer@gmail.com> wrote: > On Thu, 29 Jul 2021 at 15:25,pbj@cmicdo.com <pbj@cmicdo.com> wrote: > > On Thursday, July 29, 2021, 11:28:03 AM EDT, Stephen Frost <sfrost@snowman.net> wrote: > > > * Tom Lane (tgl@sss.pgh.pa.us) wrote: > > > > Stephen Frost <sfrost@snowman.net> writes: > > > > > Indeed, that comment didn't seem to help clear things up. I'm guessing Dave > > > > > is referring to the fact that we have a separate "gitmaster" server, which > > > > > is also maintained by pginfra and is where committers actually push changes > > > > > to, and then that is mirrored to git.postgresql.org. I didn't check which > > > > > repo the tarball building script pulls from (which is run on pginfra, in > > > > > case anyone is wondering about that) and perhaps it pulls from gitmaster > > > > > and not git.p.o. > > > > > > > > It does pull from gitmaster. There are multiple reasons for this design, > > > > but one is that a compromise of our public git server wouldn't imperil > > > > the contents of the official tarballs. > > > > > > That doesn't do much for the large number of folks who use > > > git.postgresql.org or the github mirror though, unfortunately. Signed > > > commits, on the other hand, would help. > > > > A slightly different tack on this question: How quickly would you > > notice that a rogue RPM had been inserted into the repo and then be > > able to fix it? > > > > By someone other than the trusted RPM builder ? > Yes. No idea, it really depends on a lot of factors such as exactly how it was put in place and when it ends up being reported (and quite possibly where, for that matter..). We do regularly re-sync from the primary FTP server to the others, so it would also depend on which system was first compromised- the build server, the ftp primary server, or one of the other ftp servers. Also, while the pginfra team has members from a few different timezones, we certainly don't have anything like 24/7/365 coverage. I'm sure there's things we could do to improve on this, but we're also a volunteer group and there's only so many hours. We'd be happy to chat with folks who are interested in helping. :) Thanks, Stephen
Вложения
В списке pgsql-www по дате отправления: