Received: from magus.postgresql.org (magus.postgresql.org [87.238.57.229]) by mail.postgresql.org (Postfix) with ESMTP id 7170216FA501 for ; Mon, 9 Jul 2012 09:17:53 -0300 (ADT) Received: from mail-vc0-f174.google.com ([209.85.220.174]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1SoCuU-0004aL-Jd for pgsql-www@postgresql.org; Mon, 09 Jul 2012 12:17:52 +0000 Received: by vcbf11 with SMTP id f11so7239010vcb.19 for ; Mon, 09 Jul 2012 05:17:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=0NZeQZdkBmxXLqiSJ3NLYmyYQ+nzwTQCNXbrbMx8r70=; b=E3J3AFQwue2Qs4zxpwSCYfz2qduuxeAQl2N++qTty33oLfhUpfvOEhTpoHfe+OAgIM 3D5q7otF8cjcITScy/rIqOdJL5Y3wwDQvrQXd+plkTsdv+WH1wyNzHTdnWG7652JlRGi /fo4+qfFrrOtZzrmme5NGxQqiDUaxenDjCsseiqQ0DtidU8Sgn8jvS4qvWWrOH3TIEwj BMOx1cF7iLeytDa9Csjl74OdSWqj1HX75/6lvq7f8d1j1jAUKC4gLNDjkyiab58er0RZ aaTvplG5tkziJzlGidfrdAjMWHrZPARDMfb+unoBhKm4RCWMAHVnpzWH1oPlLty8MNf4 OpyA== MIME-Version: 1.0 Received: by 10.52.30.68 with SMTP id q4mr15856533vdh.131.1341836257014; Mon, 09 Jul 2012 05:17:37 -0700 (PDT) Received: by 10.52.182.168 with HTTP; Mon, 9 Jul 2012 05:17:36 -0700 (PDT) In-Reply-To: References: <1341692590.1122.1.camel@lenovo01-laptop03.gunduz.org> <2476F91B-A1B2-45DA-96EB-8F33C79A0E05@openscg.com> <1341781012.3451.0.camel@lenovo01-laptop03.gunduz.org> <1341833486.9579.8.camel@lenovo01-laptop03.gunduz.org> Date: Mon, 9 Jul 2012 13:17:36 +0100 Message-ID: Subject: Re: Linux Downloads page change From: Dave Page To: Magnus Hagander Cc: Simon Riggs , =?ISO-8859-1?Q?Devrim_G=DCND=DCZ?= , Scott Mead , "pgsql-www@postgresql.org" Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQm+8VCmjkGxxidgNuNurKUIDw25WyK8irEWih+J3947/Hp2zmb31eqqnHT56FMkcuXGjG7c X-Pg-Spam-Score: -2.6 (--) X-Archive-Number: 201207/58 X-Sequence-Number: 20807 On Mon, Jul 9, 2012 at 1:10 PM, Magnus Hagander wrote: > >> In theory. In practice it seems unlikely anyone would ever take the >> time and energy to build them themselves and actually verify them - >> the effort to do so would be huge (for example, assembling the 9.2 >> build machine for the installers and building all the necessary >> dependencies for all the supported platforms etc. has so far taken a >> number of man weeks). To verify the binaries we put out, someone would >> have to build an exact mirror of that environment. That's not to say >> it shouldn't be possible of course. In fact, it wouldn't even be >> possible, as we digitally sign some of the executables to appease >> Windows, and we obviously cannot share that certificate. > > It should be possible, and it's a much smaller (though not necessarily > small) effort if you only want to verify *one* version on *one* > platform with *one* subset of modules. Putting aside the signed binaries, which clearly cannot be reproduced bit-perfect, it's really not that much smaller - versions don't matter that much as we use the same env for each major version, and most packages are dependent on the server build, which requires the majority of dependencies. The only real time saver would be to only try to reproduce a subset of the supported platforms. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company