Re: [pgsql-pkg-debian] Re: We should not transition to apt.postgresql.org until we have a PPA
| От | Magnus Hagander |
|---|---|
| Тема | Re: [pgsql-pkg-debian] Re: We should not transition to apt.postgresql.org until we have a PPA |
| Дата | |
| Msg-id | CABUevEzGrQ=0J8dw1fj=k-cVkzbgfnNOkwYTk_BK-zLu8P+wBA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [pgsql-pkg-debian] Re: We should not transition to apt.postgresql.org until we have a PPA (Martin Pitt <mpitt@debian.org>) |
| Ответы |
Re: [pgsql-pkg-debian] Re: We should not transition to
apt.postgresql.org until we have a PPA
|
| Список | pgsql-www |
On Tue, Feb 19, 2013 at 4:36 PM, Martin Pitt <mpitt@debian.org> wrote: > Magnus Hagander [2013-02-19 16:22 +0100]: >> > The instructions at http://www.postgresql.org/download/linux/debian/ are a >> > bit much right now, so some automation toward reducing them would be useful. > >> Yes. This is why we have multiple debian packaging experts in the >> project. And also people who know some things about debian packages >> and some things about usual customers, to bridge the gap ;) > > I think I can claim to have a sufficient understanding of how Debian > and Ubuntu archives and packaging work to offer to write such a > script. :-) Most definitely. (BTW, this proves which debian packager wasn' tin the IRC channel at the time :P) >> Just to keep people informed, the current plan which is the latest >> conclusion in the IRC discussion amongst the packagers is: >> >> * Change the package pinning to be less conservative, and more with >> what most people want. That will remove one step from the installation >> instructions. Obviously this needs some lead time, but shouldn't be >> too much. > > I'm very much in favor of this. > >> * Create an automated script that will set the repository up for >> people. This can either be downloaded and run, or it can be downloaded >> as a signed https download and piped directly to the shell for those >> daring people who trust postgresql.org. > > My current idea is to ship both the GPG key and the script in the > Debian/Ubuntu postgresql-common package. This closes the > authentication loophole in the sense that you can trust to get the > real postgresql archive if you trust that you have the real Debian > archive, and it doesn't need scary "wget | sudo bash" hacks. Unfortunately, it will take quite a while to propagate, no? What we were considering was using a curl | sudo bash basically. It will then be signed by our main SSL certificate, so that should be almost as trustworthy as a package signature (ours would be exploitable by somebody tricking a public CA into giving them a cert for www.postgresql.org) > So in theory this script could also set up the apt pinning, but I'd > rather not, because (1) doing that automatically would be besides the > point of having the pinning requirement in the first place, and (2) > automatically doing this can potentially break an already existing > (unrelated) apt pin configuration in "interesting" ways. Yeah, +1. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
В списке pgsql-www по дате отправления: