Received: from magus.postgresql.org (magus.postgresql.org [87.238.57.229]) by mail.postgresql.org (Postfix) with ESMTP id 78F9116FA501 for ; Mon, 9 Jul 2012 09:10:34 -0300 (ADT) Received: from mail-lb0-f174.google.com ([209.85.217.174]) by magus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1SoCnP-0004Uj-JJ for pgsql-www@postgresql.org; Mon, 09 Jul 2012 12:10:33 +0000 Received: by lbbgm6 with SMTP id gm6so19984032lbb.19 for ; Mon, 09 Jul 2012 05:10:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=pkSTSgKBT58GUnfDCGbJlW5VxoD8kh+r8sa1u6GzXck=; b=CaCdb/78pppl5keHboSiGiqGssTs7euX4996gV+n+DDqDGBA1jaZ3LO8+WcmVxXKTo ut8gRf8AivWfSKlsxaxyuqARXy+WgOENA0jb+fgttcqT4/4sRS70P7My3iTELijt5bff 94ommwFwfG8IY5W6L8QUF10G5dKqqs23KHmAG/bQyecn7jreXbWdVIP6B5ij8a8WiB3l 6KGdG189/UQLSWN+p+yQT0yJaS5DevHAEmMrpptcoKb6BMv90rNG2UQ6khvn3u/FElIK 3he3Q7DW2HG+7DbeuK1h4XmzPlJM6+JkmdHVhMXwYs/tVg67iorCdIzZ4T31l3PsaHc5 ZVNA== MIME-Version: 1.0 Received: by 10.112.45.168 with SMTP id o8mr18023065lbm.88.1341835818892; Mon, 09 Jul 2012 05:10:18 -0700 (PDT) Received: by 10.152.21.234 with HTTP; Mon, 9 Jul 2012 05:10:18 -0700 (PDT) In-Reply-To: References: <1341692590.1122.1.camel@lenovo01-laptop03.gunduz.org> <2476F91B-A1B2-45DA-96EB-8F33C79A0E05@openscg.com> <1341781012.3451.0.camel@lenovo01-laptop03.gunduz.org> <1341833486.9579.8.camel@lenovo01-laptop03.gunduz.org> Date: Mon, 9 Jul 2012 14:10:18 +0200 Message-ID: Subject: Re: Linux Downloads page change From: Magnus Hagander To: Dave Page Cc: Simon Riggs , =?ISO-8859-1?Q?Devrim_G=DCND=DCZ?= , Scott Mead , "pgsql-www@postgresql.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQlWZlHLg2cdGhd1r/R7xYDC7NwDu5kMl7VRLRgs8a+m9NdQC0KOe7PEPv1BdJJkAjTCHKsi X-Pg-Spam-Score: -2.6 (--) X-Archive-Number: 201207/57 X-Sequence-Number: 20806 On Mon, Jul 9, 2012 at 2:05 PM, Dave Page wrote: > On Mon, Jul 9, 2012 at 12:41 PM, Simon Riggs wrot= e: >> On 9 July 2012 12:31, Devrim G=DCND=DCZ wrote: >>> >>> Hi Simon, >>> >>> On Mon, 2012-07-09 at 12:25 +0100, Simon Riggs wrote: >>> >>>> I am discussing the relationship of SRPMs and RPMs, which is a valid >>>> point on this thread given the point that the RPMs and SRPMs have been >>>> mismatched for some time and that the current process calls for manual >>>> rather than automatic synchronisation. >>> >>> Which SRPMs are you talking about? Community SRPMs? If so, they have >>> been always available on the website. If you are talking about OpenSCG >>> RPMs, that is a different thing. >> >> My words were a little unclear all round, please accept my apologies. >> >> IMHO we should only list binaries on the postgresql.org website if >> they are derived from build information that is owned by the PGDG, or >> at very least publicly available at the time of the build and likely >> to remain so afterwards. That process should be automatic as far as >> possible, to minimise error, since the number of users of those >> binaries is now very large. > > Right - that's more or less what's been discussed and agreed. The > issue with the installers that Magnus raised, is that at present I > manually push the canonical GIT repo to git.postgresql.org, and often > forget to do it until reminded. That was raised in response to my > comment that the OpenSCG build scripts are not currently public at all > as far as I could see, and should be if their work is to be listed on > postgresql.org's primary downloads page. FWIW, the listing they have *now* is cleraly under "third party distributions", so I don't think there's a problem with that one. It also holds bitnami stuff. The point here is the *primary* download pages (i'll make that plural since it was broken up a bit extra lately). >> Unverifiable binaries are a quality and security risk to the project. > > In theory. In practice it seems unlikely anyone would ever take the > time and energy to build them themselves and actually verify them - > the effort to do so would be huge (for example, assembling the 9.2 > build machine for the installers and building all the necessary > dependencies for all the supported platforms etc. has so far taken a > number of man weeks). To verify the binaries we put out, someone would > have to build an exact mirror of that environment. That's not to say > it shouldn't be possible of course. In fact, it wouldn't even be > possible, as we digitally sign some of the executables to appease > Windows, and we obviously cannot share that certificate. It should be possible, and it's a much smaller (though not necessarily small) effort if you only want to verify *one* version on *one* platform with *one* subset of modules. --=20 Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/