Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tWBhN-00EpGF-Fj for pgsql-pkg-debian@arkaria.postgresql.org; Fri, 10 Jan 2025 09:53:02 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tWBhM-00EKO0-DZ for pgsql-pkg-debian@arkaria.postgresql.org; Fri, 10 Jan 2025 09:53:00 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tWBhM-00EKNs-26 for pgsql-pkg-debian@lists.postgresql.org; Fri, 10 Jan 2025 09:52:59 +0000 Received: from mail-pj1-x1033.google.com ([2607:f8b0:4864:20::1033]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1tWBhI-000rDa-3D for pgsql-pkg-debian@lists.postgresql.org; Fri, 10 Jan 2025 09:52:58 +0000 Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-2f43da61ba9so2500592a91.2 for ; Fri, 10 Jan 2025 01:52:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hagander.net; s=mail; t=1736502776; x=1737107576; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Z6pgqhQ61xDdmzSo/3r4+fiqQ7Qp32URjD0VRD1P6Z0=; b=IKIRjZGgPrxlzkoZy0kcrMxMEjadKcsSVstviK4yaZTduLxaGSOIJsIOy9vfCB2zqS u0wzDj9hXsj/1+8wDMUsuZg3rkwQtUD2xxRU2sA+icK+ncE3s3T/GTj0b/4N+kGId0h1 PNI6ufd5IFXsTI6PnDbPu/jsbe+7hPo8v18pLObfDeB+Fw5nJkMIpfEmUbb95eL6tHz0 J3glK2FfpSCjdLPNv2wojOSZbKaNZXJy/xy9Zzf/oCifegNvm95JpOS9Nbl64gkunP8s NpIbSotmagJV5mOYWrrckHE4udLNLlqx1FKRsM4kfHiQH3oBV/08++GOs47dmXogeWFl U7YA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736502776; x=1737107576; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Z6pgqhQ61xDdmzSo/3r4+fiqQ7Qp32URjD0VRD1P6Z0=; b=fIyaLe84tinwCX97dsk3Qmq2DODIJpVQiG0UWpgZE+auIQdaGGPneFXKuyQyfPM7PP 7RInTg5hMz5qLorgajwKChnJuxRyYeZoxyuIfDp8fjd+RndR0vkQwN6pxS0rfPFL8eov 92ez0ICOycEkUU7sXuA+E8vjRJUWtkUMAhag3jh8f+46SCHtqgCxM9NT4pyoMEZQxqLA 5IexITzJas1gQxLUqeBpje66C0Y7l045TFz25K9bEHGe+Cusgp1lftcMr3YYN9PDlm3E 5gHJWP3fLGyesjmKkJur7K+bgnm9PoQgJV66wjBa8l87hDl2ljSr1lpRul2v3sOzkysf Jb0A== X-Forwarded-Encrypted: i=1; AJvYcCXNc4Gc1uMkCQWyKHaioItsKD3LeKB7S+crWeLRsXRrVT7RXg1qF3jQblszCjXb6kvSL8UWab+bSNxuVi7+/rVm@lists.postgresql.org X-Gm-Message-State: AOJu0Yya/yc8BswYCv3IT5/L6NN1baJw/mEwiBZPlK8582wXXe3cxhS8 XGtdVPEnp89o65M22OCCzS0jZTYGXi+jme8xV32+eyez9iDFD+xNctGJD6DOVJ+XF0CZLtpivqw xgLT37tTfI0W9gecGKXjyGCHjMPAb9X/1Bxty X-Gm-Gg: ASbGncsNZW+LayG6VZvlbI20+57BgHU41YfuFMPv+OYrHWurAM5cNtcTJ4+Lmq8BQI2 EknNUiSI68qNKpzs5p1zBfNulKFncI45t3m5aHuE= X-Google-Smtp-Source: AGHT+IGtUTbfrNuEmPyCq0nIwF+UCmYP5kSNcX7Zg2AsZBd7QNzHxskyEcYNxR6hIlWMDOJPAWj4kskj6Mscc1a9X0w= X-Received: by 2002:a17:90b:524d:b0:2ee:aed2:c15c with SMTP id 98e67ed59e1d1-2f5490bd071mr14294113a91.28.1736502776162; Fri, 10 Jan 2025 01:52:56 -0800 (PST) MIME-Version: 1.0 References: <20250109005301.3b145092@jeremy-ThinkPad-T430s> <20250109090845.24e1df6e@jeremy-ThinkPad-T430s> In-Reply-To: From: Magnus Hagander Date: Fri, 10 Jan 2025 10:52:44 +0100 X-Gm-Features: AbW1kvYBn3DHrbrAvE-AB2b5r3m4Y5sk1UrUepXc7_-NQbjJrbb8pMxhROStZDc Message-ID: Subject: Re: deb package sizes To: =?UTF-8?B?w4FsdmFybyBIZXJuw6FuZGV6?= Cc: Jeremy Schneider , Christoph Berg , pgsql-pkg-debian@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000002005c1062b570f5f" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000002005c1062b570f5f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Jan 9, 2025 at 11:40=E2=80=AFPM =C3=81lvaro Hern=C3=A1ndez wrote: > > > On 9/1/25 18:08, Jeremy Schneider wrote: > > On Thu, 9 Jan 2025 17:06:57 +0100 > =C3=81lvaro Hern=C3=A1ndez wrote: > > > On 9/1/25 10:07, Christoph Berg wrote: > > Re: Jeremy Schneider > > I'm wondering if there might be any support for providing a > "postgresql-slim" package on PGDG which excludes llvm and python? I > think this might almost cut the total install size in half, and I > think there might be many users who would value having the option. > > > Hi, > > could you explain why 250 MB is too much? Disk space these days is > ultra cheap > > Hi Christoph. > > Container images allow (are meant to) contain only the necessary > files needed to run the process that will be run when the image is > run. As such, any additional file poses two main problems: > > * Disk space is cheap. Bandwidth not so much. Time to start a > > * Security analysis. Unneeded files (specially binaries, but not > > Another concern is the impact of image rebuilds as dependencies are > updated. Tianon (a primary maintainer of the docker images) has noted > that they limit frequency of the debian base containers, because every > rebuild of the base container triggers an avalance of downstream > rebuilds. CNPG was doing daily rebuilds for awhile, and every time any > python dependency was updated you'd get a new image - boto3 was > notorious for very frequent updates. So with a different image version > for every day, a single server running multiple copies of postgres might > easily end up with multiple image versions on the server as copies are > slowly updated. > > > I see this as a symptom of a different, bigger issue: that package > versions, and all transitive dependencies, should be version pinned when > building container images. I haven't seen too many examples of taking the > effort to do this. But it's the only way to have a way to re-run building > images and guarantee outputs that are reproducible. Once you have this in > place, you can decide how and when you upgrade which versions. > I'm guessing most container builders are just not interested in doing that much work. It's easier to just "always upgrade", but as noted that comes with a whole different set of problems. It's only really feasible if you manage to first reduce the set of dependencies substantially. > > Actually, even version pinning is not enough, unless the package > system guarantees that a version of a package is strictly immutable (and > AFAIK this is usually not the case). So digest pinning is essentially > required. > Debian (as this was talking about it) is actually doing a very good job ot that these days, though they're not there all the way. But https://tests.reproducible-builds.org/debian/reproducible.htmlshows they're doing really well. --=20 Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/ --0000000000002005c1062b570f5f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Jan 9, 2025 at 11:40=E2=80=AFPM = =C3=81lvaro Hern=C3=A1ndez <aht@ongres= .com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex"> =20 =20 =20


On 9/1/25 18:08, Jeremy Schneider wrote:
On Thu, 9 Jan 2025 17:06:57 +0100
=C3=81lvaro Hern=C3=A1ndez <aht@ongres.com> wrote:


On 9/1/25 10:07, Christoph Berg wrote:

Re: Jeremy Schneider =20

I'm wondering if there might be any support for provid=
ing a
"postgresql-slim" package on PGDG which excludes llvm and python?=
 I
think this might almost cut the total install size in half, and I
think there might be many users who would value having the option.
=20

Hi,

could you explain why 250 MB is too much? Disk space these days is
ultra cheap =20

 =C2=A0=C2=A0=C2=A0 Hi Christoph.

 =C2=A0=C2=A0=C2=A0 Container images allow (are meant to) contain only the =
necessary=20
files needed to run the process that will be run when the image is
run. As such, any additional file poses two main problems:

* Disk space is cheap. Bandwidth not so much. Time to start a

* Security analysis. Unneeded files (specially binaries, but not

Another concern is the impact of image rebuilds as dependencies =
are
updated. Tianon (a primary maintainer of the docker images) has noted
that they limit frequency of the debian base containers, because every
rebuild of the base container triggers an avalance of downstream
rebuilds. CNPG was doing daily rebuilds for awhile, and every time any
python dependency was updated you'd get a new image - boto3 was
notorious for very frequent updates. So with a different image version
for every day, a single server running multiple copies of postgres might
easily end up with multiple image versions on the server as copies are
slowly updated.

=C2=A0=C2=A0=C2=A0 I see this as a symptom of a different, bigger issue= : that package versions, and all transitive dependencies, should be version pinned when building container images. I haven't seen too many examples of taking the effort to do this. But it's the only way to have a way to re-run building images and guarantee outputs that are reproducible. Once you have this in place, you can decide how and when you upgrade which versions.

<= div>I'm guessing most container builders are just not interested in doi= ng that much work. It's easier to just "always upgrade", but = as noted that comes with a whole different set of problems. It's only r= eally feasible if you manage to first reduce the set of dependencies substa= ntially.

=C2=A0

=C2=A0=C2=A0=C2=A0 Actually, even version pinning is not enough, unless= the package system guarantees that a version of a package is strictly immutable (and AFAIK this is usually not the case). So digest pinning is essentially required.

Debian = (as this was talking about it) is actually doing a very good job ot that th= ese days, though they're not there all the way. But=C2=A0https://t= ests.reproducible-builds.org/debian/reproducible.htmlshows they're = doing really well.=C2=A0


--
--0000000000002005c1062b570f5f--