Re: Relative security of Community repos and packages
| От | Tom Lane |
|---|---|
| Тема | Re: Relative security of Community repos and packages |
| Дата | |
| Msg-id | 605536.1627506840@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Relative security of Community repos and packages (Christophe Pettus <xof@thebuild.com>) |
| Список | pgsql-www |
Christophe Pettus <xof@thebuild.com> writes: >> On Jul 28, 2021, at 14:02, Dave Page <dpage@pgadmin.org> wrote: >> No that is not the case, at least for community and EDB packages. It might be the case for upstream distributors though(eg. OS vendors). > They all pull from the community Git repo, though, correct? I do not think Red Hat does that; they prefer identifiable released tarballs. I've not worked there in nigh ten years, but I still see this in their PG specfile: Source0: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}.tar.bz2 and I clearly recall that there were cross-checks in their build process that tarball components of an SRPM matched what could be fetched from the stated URL. Maybe now they have a process that works with direct git pulls, but they're not using that method with us. Can't speak to non-RH-based distros. regards, tom lane
В списке pgsql-www по дате отправления: