Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w696l-003zzr-1g for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Mar 2026 15:28:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w696k-00AW1q-0E for pgsql-hackers@arkaria.postgresql.org; Fri, 27 Mar 2026 15:28:22 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w696j-00AW1i-2J for pgsql-hackers@lists.postgresql.org; Fri, 27 Mar 2026 15:28:22 +0000 Received: from mail-lj1-x231.google.com ([2a00:1450:4864:20::231]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w696h-00000001L3k-20oO for pgsql-hackers@lists.postgresql.org; Fri, 27 Mar 2026 15:28:21 +0000 Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-38c551f2497so20431021fa.2 for ; Fri, 27 Mar 2026 08:28:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774625297; cv=none; d=google.com; s=arc-20240605; b=fteZ5RmaVHJjC32wPXiNKasasAOC2dGbmcWVEOQCBifz22CamTvP0rX+cWJOYaz5YT G8ZXdaLBW/5EwEFX1v1UNCglFgV1/54UtxhW/pdEq9cc3TnH1t4xVHJwMgQYLBRgeaZx CpMa24is3rGAxDw0gSKf/uEL2sP1UD5ln4aIS6q1vswjSnagjnNgwz8fq9z7iRCHPOpx EHarw9Oy47/uXCZqv6vbo2EdN4yrEn3ZHC8Yt3TKokU03X8+T8DdVXLdb5BiqG2QvT+D wrDbp5LguWWUgC2tQFtUUi20gTDPmwyyoNeE9YcTGBNmav4hZjLZEBFPTgmCKDy868FY gXFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=5vQZx7U4tYhPn+iZk9AzVFKL8O8UyqhvM/4S90Be6uA=; fh=Vx2sU6rwgbc10hmjmb5hnzCUWZ4Gp2sez0Fqj5z/9G8=; b=XrF9ZR9GB1mixwmeSPaeKgM+AEme+PBiANqsrgYLH4+6yChmXuT268jaPxXWiUAxS4 WKNl+wQQ8/cDT4U3Uw5wbpRfTzQgL59f6JyIXZyQK5Nf9NWTNa/zLZKkXuNEyKxVeAzV OwB7k31nl3K4c1AzZDFnW5p3l90wGwWt6eZZXLBzQwaOoKLZoo9P0JYhFOdcd8t5twm8 L45VpSL9L762GztKm8ipc66lR7hEpzJ7Ci297EIqxdOIXxRuhBW47MWrOviZLSa8ANs8 mSGlUN6M9eoE5OBOcwIO9XUNDexCWhjbWHmtgKWch3fsDgEZ2e0pESqRFuQXsoPob9lV TsOQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jeltef.nl; s=google; t=1774625297; x=1775230097; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5vQZx7U4tYhPn+iZk9AzVFKL8O8UyqhvM/4S90Be6uA=; b=EdJj6hD2yy0ZsnfU0i6R+YlLJ7Sp8h34K2i+dTGyhK66h11/osYI8eshXSa1Jylu06 by5UTD0jjVfXjD04Ikg4zS4GQcKZTsa0YoU5F3lT+uQMQxn3vevun5DJchnl3flsOZ4n +ENdAqBwX9+4ZHJOETrZ7R1i/tbGkj0orXPnMwG/V63LlrgLEvCQish91iTH2OvIAjAY ZeNR9S78ZY7Uepgso37nv1lPGz+JhBs+II3Id9tXIpn2swTsUfUhCbBYqrwI6pzXh+XH V0WCqx8zpktBJ/hz5a3L6wuVixSYWoxnrFLSaEVs39vD6LmEX9NBL/FjWCeo8/poOyFB U9tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774625297; x=1775230097; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5vQZx7U4tYhPn+iZk9AzVFKL8O8UyqhvM/4S90Be6uA=; b=dw55eISOQ7dgrI4HCMdZJ/Rhu4PHTi3QG7TVWXs3HkYqjej1yDBeVQchsEmgZQT/sq U9Ag4YlUsBfB5SjXfPiNuFoMvff9BwwsSa48sruZls7SCQuE8gm05QZwmX1sPNwRg9NN fQB0GovXzGVFzMY7RRdpMtZqxOO5bR2lpNLQ6P47xe54t1wpvr/ICrf7Lzo/vkg4ulmz dBH18zcG1XX4JRRej1mCstvMjlW76aioA3fINeCIg+pnuIN3u7yZSQ8pi/OvcWcDTzfQ hkHmNNFuXX9ryJpA6IMTI93qYG1CkTlphZ8Hanu7EfwL9oRa0rVFForCjw072ektfJ4Q ZbWg== X-Forwarded-Encrypted: i=1; AJvYcCVAIuWh4mgl4gvQ4Zy/uD9wjf6qsWBINt+0EEysnD5g5/0FSKM6IVHlCIlPoDf71VSXnnvqlAEWlR+15gAh@lists.postgresql.org X-Gm-Message-State: AOJu0YzkLSAgdJAXUWGgRWj31SJZthrgOeraPicVe11WxVn/D50jC1qz 8dCMTSu/yWZ8JCHPojGH/DMkCy/tyTRkpw+tNVqyWLAG0MBhlhsyBKKC3DmJ1/t/UZgfpTTifLI uHFHmH/FqChxq9GQ4+AdY0GzJyFb1cKDlFGIESNtlYg== X-Gm-Gg: ATEYQzwBEL0TakTFHwrWch1YhydyQCHv1Wc7Qbxp02hSoOPixS+DEEIVdcH5zfs5BNr GhrN9H82ZHa8dSd+2ro4E7aeoQmkxqd0j7Dt16KKIkrQtbjRjylfZRhI71iRIU3vnaGQARMiYqA y1goy7jnPtlenyCPjhh0WjOmx+L2enB1bhKtICMeubusjx2BXQA3WuLC84mVnsmDQwsglyGoiG8 4A9ffyqNX+6IOemtzgBW3XdvvnafeFTl9EqzRlLX2O5zGylydGVc+4F/WB0w4juj7AzXfcwpaXk z1YN9L408Wf7UZGk X-Received: by 2002:a2e:8a95:0:b0:37f:c5ca:a6d4 with SMTP id 38308e7fff4ca-38c730c2939mr11230251fa.6.1774625296532; Fri, 27 Mar 2026 08:28:16 -0700 (PDT) MIME-Version: 1.0 References: <3913298.1767194804@sss.pgh.pa.us> <5611b8aa-8496-4632-92b4-e096654850d1@dunslane.net> <4645a523-8774-45d8-894e-9c83d5954155@eisentraut.org> <1194980.1774623323@sss.pgh.pa.us> In-Reply-To: <1194980.1774623323@sss.pgh.pa.us> From: Jelte Fennema-Nio Date: Fri, 27 Mar 2026 16:28:03 +0100 X-Gm-Features: AQROBzBk0_0wVA42uDjv7A3O4b210qNWZGWc9ZD37DkwMAqDzhT85da0bY5u3FU Message-ID: Subject: Re: Add "format" target to make and ninja to run pgindent and pgperltidy To: Tom Lane Cc: Peter Eisentraut , Andrew Dunstan , Ashutosh Bapat , PostgreSQL Hackers , Daniel Gustafsson Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, 27 Mar 2026 at 15:55, Tom Lane wrote: > We did not start expecting commits to be pgindent-clean until pgindent > was integrated into our tree Merging these commits does not mean we force committers to run perltidy on every commit. That a completely separate discussion that is not worth having until after we make perltidy less of a pain to run. Even without forcing committers to run perltidy I think 0007 and 0008 are still beneficial. > The 0008 patch doesn't fix that, and in fact I think it would be > dangerous to even provide that script in our tree. It's a supply- > chain attack waiting to happen. I strongly disagree. Instead I think, our current pgindent README[1] is a supply-chain attack waiting to happen. Our pgindent README tells people to get a tar file from the CPAN website, but WITHOUT the signature checks that the script in 0008 includes. These added signature checks prevent it from being a supply chain risk. > Even if it were guaranteed 100% > secure, too many developers are subject to (perfectly reasonable) > corporate security policies that would look with disfavor on > unauthorized installation of Perl modules. I'd be curious to know which committer is not allowed to download and run a specific signature verified perl module, but is allowed to get the latest postgres source code from main. [1]: https://github.com/postgres/postgres/blob/9a9998163bda0d8c17d84ea22ced6a60f8018634/src/tools/pgindent/README#L18-L27 P.S. Reading your response, I cannot help but interpret it as an attempt to sidestep any future discussion about always running perltidy, by pre-emptively rejecting any and all improvements that would make perltidy easier to run.