> On Jul 28, 2021, at 11:26, pbj@cmicdo.com wrote:
> Currently involved in a discussion about security of Postgres packages from various sources. I'm strongly advocating
thatwe get our packages directly from PGDG.
>
> Would Postgres packages from Red Hat repos (and I guess we could include EDB, 2nd Quadrant, Crunchy...) be considered
moresecure from being hacked than those from the PGDG repos?
While I have nothing bad to say about the other repo sources, every other repo (AFAIK) pulls from the community repos,
sothere's no reason that they would be *more* security than the community sources. The Infra team takes build chain
andhosting security very seriously, and I would say that you are as safe with the community repos as you would be with
anyother source.