public inbox for [email protected]
help / color / mirror / Atom feedFrom: Magnus Hagander <[email protected]>
To: Dave Page <[email protected]>
Cc: Simon Riggs <[email protected]>
Cc: Devrim GÜNDÜZ <[email protected]>
Cc: Scott Mead <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Linux Downloads page change
Date: Mon, 9 Jul 2012 14:10:18 +0200
Message-ID: <CABUevEwCpo1zXbS62fpRNDJEJi_qvRLoEJjKjFb24E1M6eyE_A@mail.gmail.com> (raw)
In-Reply-To: <CA+OCxozWwq4Hy-=epq2bn5StPVJ0PSt_Ejx0SDBd_Brcmtf63g@mail.gmail.com>
References: <CAKq0gvKgeckkBa0xm6xsrmNvk=Cm6zPP4n1O3CQCvDUvCYCs8w@mail.gmail.com>
<CABUevEyONmEeqwU4VJgs8vTV3yW3dsNLPiFfPnAKJOCLgYbvYA@mail.gmail.com>
<CAKq0gvL-s4_Mk0ztGh+yywH5v4Jvnm2Fs2k-gq2wcrW+kfY2xQ@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<CA+OCxoxExqHx_ZNRpvmJpVoNCOa9yO4C3HTZ4Ob7e32Wn2+fcQ@mail.gmail.com>
<CABUevEzm09To=uzW=+F==G98HK2YZNXsXwv+NW-7uOgqGLOxoQ@mail.gmail.com>
<CA+OCxox1pCaXvOeVmv0gECbXsOqGeXQL-O2QsyWmFS9ZvCkjbg@mail.gmail.com>
<CABUevEx_7-Xm+z5oc+61TuHzSbu34fWAKiRxAXjGwfCzff=OZA@mail.gmail.com>
<CA+OCxoyGPVRQ+1tnxGuFS1JACr1QJUchS90qxXHuN_YTUNj8QA@mail.gmail.com>
<CA+U5nMK86koEcfkBwUWRPqGTT1b8Qjp3hN=pk3to+kqaUoWp=w@mail.gmail.com>
<CA+OCxoxxW3EOoLpWuTk=GW2Hr-Z+8m0_oN2QUQCMpVss6R+DDw@mail.gmail.com>
<CA+U5nMKyzv6B7ywGv8BLfwig1wgimp0keo9rKUpaLpnANuiH+w@mail.gmail.com>
<[email protected]>
<CA+U5nMJqmeepcZ1vg24UrHHtKC+zXjgSy-u-peRmJNW2EFJy-A@mail.gmail.com>
<CA+OCxozWwq4Hy-=epq2bn5StPVJ0PSt_Ejx0SDBd_Brcmtf63g@mail.gmail.com>
On Mon, Jul 9, 2012 at 2:05 PM, Dave Page <[email protected]> wrote:
> On Mon, Jul 9, 2012 at 12:41 PM, Simon Riggs <[email protected]> wrote:
>> On 9 July 2012 12:31, Devrim GÜNDÜZ <[email protected]> wrote:
>>>
>>> Hi Simon,
>>>
>>> On Mon, 2012-07-09 at 12:25 +0100, Simon Riggs wrote:
>>>
>>>> I am discussing the relationship of SRPMs and RPMs, which is a valid
>>>> point on this thread given the point that the RPMs and SRPMs have been
>>>> mismatched for some time and that the current process calls for manual
>>>> rather than automatic synchronisation.
>>>
>>> Which SRPMs are you talking about? Community SRPMs? If so, they have
>>> been always available on the website. If you are talking about OpenSCG
>>> RPMs, that is a different thing.
>>
>> My words were a little unclear all round, please accept my apologies.
>>
>> IMHO we should only list binaries on the postgresql.org website if
>> they are derived from build information that is owned by the PGDG, or
>> at very least publicly available at the time of the build and likely
>> to remain so afterwards. That process should be automatic as far as
>> possible, to minimise error, since the number of users of those
>> binaries is now very large.
>
> Right - that's more or less what's been discussed and agreed. The
> issue with the installers that Magnus raised, is that at present I
> manually push the canonical GIT repo to git.postgresql.org, and often
> forget to do it until reminded. That was raised in response to my
> comment that the OpenSCG build scripts are not currently public at all
> as far as I could see, and should be if their work is to be listed on
> postgresql.org's primary downloads page.
FWIW, the listing they have *now* is cleraly under "third party
distributions", so I don't think there's a problem with that one. It
also holds bitnami stuff. The point here is the *primary* download
pages (i'll make that plural since it was broken up a bit extra
lately).
>> Unverifiable binaries are a quality and security risk to the project.
>
> In theory. In practice it seems unlikely anyone would ever take the
> time and energy to build them themselves and actually verify them -
> the effort to do so would be huge (for example, assembling the 9.2
> build machine for the installers and building all the necessary
> dependencies for all the supported platforms etc. has so far taken a
> number of man weeks). To verify the binaries we put out, someone would
> have to build an exact mirror of that environment. That's not to say
> it shouldn't be possible of course. In fact, it wouldn't even be
> possible, as we digitally sign some of the executables to appease
> Windows, and we obviously cannot share that certificate.
It should be possible, and it's a much smaller (though not necessarily
small) effort if you only want to verify *one* version on *one*
platform with *one* subset of modules.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
view thread (56+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Linux Downloads page change
In-Reply-To: <CABUevEwCpo1zXbS62fpRNDJEJi_qvRLoEJjKjFb24E1M6eyE_A@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox