Re: Security lessons from liblzma

On Mon, Apr  1, 2024 at 03:17:55PM -0400, Tom Lane wrote:
> Bruce Momjian <bruce@momjian.us> writes:
> > I was more asking if users have access to patches so they could recreate
> > the build by using the Postgres git tree and supplied OS-specific
> > patches.
> 
> AFAIK, every open-source distro makes all the pieces needed to
> rebuild their packages available to users.  It wouldn't be much
> of an open-source situation otherwise.  You do have to learn
> their package build process.

I wasn't clear if all the projects provide a source tree that can be
verified against the project's source tree, and then independent
patches, or if the patches were integrated and therefore harder to
verify against the project source tree.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.