Received: from magus.postgresql.org (magus.postgresql.org [87.238.57.229]) by mail.postgresql.org (Postfix) with ESMTP id CCA5E16FA502 for ; Mon, 9 Jul 2012 12:02:56 -0300 (ADT) Received: from mail-vb0-f46.google.com ([209.85.212.46]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1SoFU9-0007XU-CP for pgsql-www@postgresql.org; Mon, 09 Jul 2012 15:02:55 +0000 Received: by vbbff1 with SMTP id ff1so7379701vbb.19 for ; Mon, 09 Jul 2012 08:02:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=h5uWJIcmFHbKh8exZzw9S/Es0Ezo3tbfJichpX3nczs=; b=D0kbGmFCNjyx87IpDZMKCE+Le3J85ynHwvLRAsfg2Wa38Oq1Gu04A/c/cZ5NzM11IJ iP/p9tKsBVTKGJYfASs0/+mJ7aZU+KAkMhGLHovl6j/nNXLoVwlHDsfEYJbQjznezu3r +AvWqEaOwj/DW2rcCyC2mDV/+lEtWg7bLiaZ3GfaSFbrxXFy+AyiCS8iFeqhwqZsuTW4 WDfdtpsgAI9JIWvuOWMW0SE9azjK9eXo/BJn0sArquOvo/BwWW5URTTw8yDU7gFhzcGP nknVI5A1kenFZmttswFUpJGW/jEorfZIhJj3/U//VG6i6Jr2EkhCc49vMLd1ednWOQJv iEBg== MIME-Version: 1.0 Received: by 10.52.37.80 with SMTP id w16mr440159vdj.84.1341846155675; Mon, 09 Jul 2012 08:02:35 -0700 (PDT) Received: by 10.52.182.168 with HTTP; Mon, 9 Jul 2012 08:02:35 -0700 (PDT) In-Reply-To: References: <1341692590.1122.1.camel@lenovo01-laptop03.gunduz.org> <2476F91B-A1B2-45DA-96EB-8F33C79A0E05@openscg.com> <1341781012.3451.0.camel@lenovo01-laptop03.gunduz.org> <1341833486.9579.8.camel@lenovo01-laptop03.gunduz.org> Date: Mon, 9 Jul 2012 16:02:35 +0100 Message-ID: Subject: Re: Linux Downloads page change From: Dave Page To: Simon Riggs Cc: =?ISO-8859-1?Q?Devrim_G=DCND=DCZ?= , Magnus Hagander , Scott Mead , "pgsql-www@postgresql.org" Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQmwOw5U37DoijASpYQYTCKgPdnHBn9d1YFQECSGhuwJ5FQJ8PtC3ar4Gr2cELJmQNDIdciB X-Pg-Spam-Score: -2.6 (--) X-Archive-Number: 201207/95 X-Sequence-Number: 20844 On Mon, Jul 9, 2012 at 3:50 PM, Simon Riggs wrote: > On 9 July 2012 13:05, Dave Page wrote: > >> Right - that's more or less what's been discussed and agreed. The >> issue with the installers that Magnus raised, is that at present I >> manually push the canonical GIT repo to git.postgresql.org, and often >> forget to do it until reminded. That was raised in response to my >> comment that the OpenSCG build scripts are not currently public at all >> as far as I could see, and should be if their work is to be listed on >> postgresql.org's primary downloads page. > > It's not more or less. What you have said is not the same thing as I > have requested. > > If it was done as I suggest, when you forget a step in the process > then the process would fail. > > If you build from the public repo then you simply can't forget. The security issue you quote is precisely why we built from the canonical source, and not a secondary mirror. You also wouldn't see a failure as you suggest - you'd probably see a successful build that you later discover is missing recent bug fixes. >>> Unverifiable binaries are a quality and security risk to the project. >> >> In theory. In practice it seems unlikely anyone would ever take the >> time and energy to build them themselves and actually verify them - >> the effort to do so would be huge (for example, assembling the 9.2 >> build machine for the installers and building all the necessary >> dependencies for all the supported platforms etc. has so far taken a >> number of man weeks). To verify the binaries we put out, someone would >> have to build an exact mirror of that environment. That's not to say >> it shouldn't be possible of course. In fact, it wouldn't even be >> possible, as we digitally sign some of the executables to appease >> Windows, and we obviously cannot share that certificate. > > I know multiple users (aside from 2ndQuadrant) that re-build their own > binaries as a safety barrier in their release process, so I don't > believe the effort level is that high, nor do I believe people won't > do it. I take your point that it is maybe only 1% of people, but those > are the ones that report all the bugs. Well if you believe it's that easy, then I'd suggest you try for yourself. Building the installers is *not* trivial, and building the installers with an identical dependency tree to verify everything we've built is a huge undertaking - and as I mentioned, not actually possible on Windows because you would have no way to sign the binaries you create with our certificate. Note again though that we're talking *installers* here, and not RPMs or other types of packages. The installers are *very* different from other packages because we have to build so many of the dependencies ourselves to ensure they'll run successfully on all the supported platforms. > The most important thing is that people can see the ingredients before > they eat the food. You're welcome to see the code - it's on git.postgresql.org. But that doesn't mean it would be easy to build a bit-level verifiable copy of our binaries. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company