Received: from magus.postgresql.org (magus.postgresql.org [87.238.57.229])
	by mail.postgresql.org (Postfix) with ESMTP id E2D8B16FA501
	for <pgsql-www@postgresql.org>; Mon,  9 Jul 2012 09:06:13 -0300 (ADT)
Received: from mail-vc0-f174.google.com ([209.85.220.174])
	by magus.postgresql.org with esmtp (Exim 4.72)
	(envelope-from <dpage@pgadmin.org>) id 1SoCj9-0004LB-Fp
	for pgsql-www@postgresql.org; Mon, 09 Jul 2012 12:06:13 +0000
Received: by vcbf11 with SMTP id f11so7233177vcb.19
	for <pgsql-www@postgresql.org>; Mon, 09 Jul 2012 05:05:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding:x-gm-message-state;
	bh=wppSv05ri+S4hrTYquxjyz+uHh8XcUpNnKKJO6N5WRg=;
	b=lWga+4IO+sKWStF4Y6FiW0tLik4kLmIO0axSlZa8btZnZkndBdZG55vMIorQCsJk61
	Apmmuiv1RkPBYXomUmrQU9rrMPqKiNK/lxgVQu6vSK35chSoISqAgcWP+8B7u1VFu7mm
	KZ6NPb6u8fb33cBwJdsldTwT8riHvng96QuE6zGeo5s52pNaColiCW8/zPculRfHM/CD
	5hQt4mxpdgjKMO4u0oRBR1/0DEfOv+onB9xIGxBgZEC+7PXipzmLGFAfNOza0v/wl0QP
	/6hK+Od52LpehxpJ5305EckCEGAirP5fT+SsH/CehERj6f2PiH29jJYkwLlFW2gLQoQF
	u9DQ==
MIME-Version: 1.0
Received: by 10.52.174.52 with SMTP id bp20mr16049944vdc.29.1341835554254;
	Mon, 09 Jul 2012 05:05:54 -0700 (PDT)
Received: by 10.52.182.168 with HTTP; Mon, 9 Jul 2012 05:05:54 -0700 (PDT)
In-Reply-To: 
 <CA+U5nMJqmeepcZ1vg24UrHHtKC+zXjgSy-u-peRmJNW2EFJy-A@mail.gmail.com>
References: 
 <CAKq0gvKgeckkBa0xm6xsrmNvk=Cm6zPP4n1O3CQCvDUvCYCs8w@mail.gmail.com>
	<CABUevEyONmEeqwU4VJgs8vTV3yW3dsNLPiFfPnAKJOCLgYbvYA@mail.gmail.com>
	<CAKq0gvL-s4_Mk0ztGh+yywH5v4Jvnm2Fs2k-gq2wcrW+kfY2xQ@mail.gmail.com>
	<1341692590.1122.1.camel@lenovo01-laptop03.gunduz.org>
	<2476F91B-A1B2-45DA-96EB-8F33C79A0E05@openscg.com>
	<1341781012.3451.0.camel@lenovo01-laptop03.gunduz.org>
	<CA+OCxoxExqHx_ZNRpvmJpVoNCOa9yO4C3HTZ4Ob7e32Wn2+fcQ@mail.gmail.com>
	<CABUevEzm09To=uzW=+F==G98HK2YZNXsXwv+NW-7uOgqGLOxoQ@mail.gmail.com>
	<CA+OCxox1pCaXvOeVmv0gECbXsOqGeXQL-O2QsyWmFS9ZvCkjbg@mail.gmail.com>
	<CABUevEx_7-Xm+z5oc+61TuHzSbu34fWAKiRxAXjGwfCzff=OZA@mail.gmail.com>
	<CA+OCxoyGPVRQ+1tnxGuFS1JACr1QJUchS90qxXHuN_YTUNj8QA@mail.gmail.com>
	<CA+U5nMK86koEcfkBwUWRPqGTT1b8Qjp3hN=pk3to+kqaUoWp=w@mail.gmail.com>
	<CA+OCxoxxW3EOoLpWuTk=GW2Hr-Z+8m0_oN2QUQCMpVss6R+DDw@mail.gmail.com>
	<CA+U5nMKyzv6B7ywGv8BLfwig1wgimp0keo9rKUpaLpnANuiH+w@mail.gmail.com>
	<1341833486.9579.8.camel@lenovo01-laptop03.gunduz.org>
	<CA+U5nMJqmeepcZ1vg24UrHHtKC+zXjgSy-u-peRmJNW2EFJy-A@mail.gmail.com>
Date: Mon, 9 Jul 2012 13:05:54 +0100
Message-ID: 
 <CA+OCxozWwq4Hy-=epq2bn5StPVJ0PSt_Ejx0SDBd_Brcmtf63g@mail.gmail.com>
Subject: Re: Linux Downloads page change
From: Dave Page <dpage@pgadmin.org>
To: Simon Riggs <simon@2ndquadrant.com>
Cc: =?ISO-8859-1?Q?Devrim_G=DCND=DCZ?= <devrim@gunduz.org>,
	Magnus Hagander <magnus@hagander.net>, Scott Mead <scottm@openscg.com>,
	"pgsql-www@postgresql.org" <pgsql-www@postgresql.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: 
 ALoCoQk8Ork73be7MEgnczdfzGUw/RpIAtXlhJXwH5RcTC8Cuku164bnmoHZXFkGAk01JtjR15K8
X-Pg-Spam-Score: -2.6 (--)
X-Archive-Number: 201207/54
X-Sequence-Number: 20803

On Mon, Jul 9, 2012 at 12:41 PM, Simon Riggs <simon@2ndquadrant.com> wrote:
> On 9 July 2012 12:31, Devrim G=DCND=DCZ <devrim@gunduz.org> wrote:
>>
>> Hi Simon,
>>
>> On Mon, 2012-07-09 at 12:25 +0100, Simon Riggs wrote:
>>
>>> I am discussing the relationship of SRPMs and RPMs, which is a valid
>>> point on this thread given the point that the RPMs and SRPMs have been
>>> mismatched for some time and that the current process calls for manual
>>> rather than automatic synchronisation.
>>
>> Which SRPMs are you talking about? Community SRPMs? If so, they have
>> been always available on the website. If you are talking about OpenSCG
>> RPMs, that is a different thing.
>
> My words were a little unclear all round, please accept my apologies.
>
> IMHO we should only list binaries on the postgresql.org website if
> they are derived from build information that is owned by the PGDG, or
> at very least publicly available at the time of the build and likely
> to remain so afterwards. That process should be automatic as far as
> possible, to minimise error, since the number of users of those
> binaries is now very large.

Right - that's more or less what's been discussed and agreed. The
issue with the installers that Magnus raised, is that at present I
manually push the canonical GIT repo to git.postgresql.org, and often
forget to do it until reminded. That was raised in response to my
comment that the OpenSCG build scripts are not currently public at all
as far as I could see, and should be if their work is to be listed on
postgresql.org's primary downloads page.

> Unverifiable binaries are a quality and security risk to the project.

In theory. In practice it seems unlikely anyone would ever take the
time and energy to build them themselves and actually verify them -
the effort to do so would be huge (for example, assembling the 9.2
build machine for the installers and building all the necessary
dependencies for all the supported platforms etc. has so far taken a
number of man weeks). To verify the binaries we put out, someone would
have to build an exact mirror of that environment. That's not to say
it shouldn't be possible of course. In fact, it wouldn't even be
possible, as we digitally sign some of the executables to appease
Windows, and we obviously cannot share that certificate.

--=20
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company