Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1U7pJE-0001dn-DO for pgsql-www@arkaria.postgresql.org; Tue, 19 Feb 2013 15:40:44 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.72) (envelope-from ) id 1U7pJD-0003e4-R4 for pgsql-www@arkaria.postgresql.org; Tue, 19 Feb 2013 15:40:43 +0000 Received: from makus.postgresql.org ([2001:4800:7903:4::125]) by malur.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1U7pJD-0003dz-AF for pgsql-www@postgresql.org; Tue, 19 Feb 2013 15:40:43 +0000 Received: from mail-wg0-f46.google.com ([74.125.82.46]) by makus.postgresql.org with esmtp (Exim 4.72) (envelope-from ) id 1U7pJB-0003NV-N7 for pgsql-www@postgresql.org; Tue, 19 Feb 2013 15:40:42 +0000 Received: by mail-wg0-f46.google.com with SMTP id fg15so5477099wgb.1 for ; Tue, 19 Feb 2013 07:40:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=VsecLF+syDo5Y8T+Taafk6Z6SFojPie5XIuy7mwpu/A=; b=L1EFV75NRjz0KkqRN2ra7JB2vpIw81cQ1JYetzlDKS+aSSTBjKN0y/Tlsllaqya/+L NQXxtz69uKwRQ8xZ5vWf6l59GsMxNE12doaJPVRBvL8ilKOoFWBXyagRPA3zGB++JwBj 6w6MX7RIKeFA7/9O+7eb5BquBxYfR8FZTP7sjjsWVFWrRY8GFfvAvLLe6m0ntiyGl0TZ 1Mo3f7u6Kn6/D105Z25tAgxVow7iGS91ig8xOW89eFwweL9BbEyjTVoyCQwM/PBMhA8V 5f3ZHgz5T6PRPcDzglseUBBUMdFOfUe4VwCIL0PTxDlhVFCzfItYJGLFsEdRaz+tWl8W FbjA== MIME-Version: 1.0 X-Received: by 10.194.62.170 with SMTP id z10mr27315296wjr.34.1361288440547; Tue, 19 Feb 2013 07:40:40 -0800 (PST) Received: by 10.194.171.40 with HTTP; Tue, 19 Feb 2013 07:40:40 -0800 (PST) In-Reply-To: <20130219153632.GE3033@piware.de> References: <20130216013854.GD12029@momjian.us> <20130216084421.GA1223@msgid.df7cb.de> <20130216153309.GF12029@momjian.us> <20130216234034.GG12029@momjian.us> <20130217054028.GA6000@alvh.no-ip.org> <20130217121745.GH12029@momjian.us> <20130218020824.GA4691@alvh.no-ip.org> <20130219120304.GB20153@momjian.us> <5123952C.1030408@2ndQuadrant.com> <20130219153632.GE3033@piware.de> Date: Tue, 19 Feb 2013 16:40:40 +0100 Message-ID: Subject: Re: [pgsql-pkg-debian] Re: We should not transition to apt.postgresql.org until we have a PPA From: Magnus Hagander To: Martin Pitt Cc: Greg Smith , Bruce Momjian , Alvaro Herrera , Christoph Berg , Stefan Kaltenbrunner , Josh Berkus , PostgreSQL WWW , PostgreSQL in Debian , Tom Lane Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQkqvVv9Gvh6hpedlxmdhDlMmhS55jWUPK8AUAKt+Wzf7ej0Ha/zvT4gBr0WCtMiCHaDstRg X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-www Precedence: bulk Sender: pgsql-www-owner@postgresql.org On Tue, Feb 19, 2013 at 4:36 PM, Martin Pitt wrote: > Magnus Hagander [2013-02-19 16:22 +0100]: >> > The instructions at http://www.postgresql.org/download/linux/debian/ are a >> > bit much right now, so some automation toward reducing them would be useful. > >> Yes. This is why we have multiple debian packaging experts in the >> project. And also people who know some things about debian packages >> and some things about usual customers, to bridge the gap ;) > > I think I can claim to have a sufficient understanding of how Debian > and Ubuntu archives and packaging work to offer to write such a > script. :-) Most definitely. (BTW, this proves which debian packager wasn' tin the IRC channel at the time :P) >> Just to keep people informed, the current plan which is the latest >> conclusion in the IRC discussion amongst the packagers is: >> >> * Change the package pinning to be less conservative, and more with >> what most people want. That will remove one step from the installation >> instructions. Obviously this needs some lead time, but shouldn't be >> too much. > > I'm very much in favor of this. > >> * Create an automated script that will set the repository up for >> people. This can either be downloaded and run, or it can be downloaded >> as a signed https download and piped directly to the shell for those >> daring people who trust postgresql.org. > > My current idea is to ship both the GPG key and the script in the > Debian/Ubuntu postgresql-common package. This closes the > authentication loophole in the sense that you can trust to get the > real postgresql archive if you trust that you have the real Debian > archive, and it doesn't need scary "wget | sudo bash" hacks. Unfortunately, it will take quite a while to propagate, no? What we were considering was using a curl | sudo bash basically. It will then be signed by our main SSL certificate, so that should be almost as trustworthy as a package signature (ours would be exploitable by somebody tricking a public CA into giving them a cert for www.postgresql.org) > So in theory this script could also set up the apt pinning, but I'd > rather not, because (1) doing that automatically would be besides the > point of having the pinning requirement in the first place, and (2) > automatically doing this can potentially break an already existing > (unrelated) apt pin configuration in "interesting" ways. Yeah, +1. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/ -- Sent via pgsql-www mailing list (pgsql-www@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-www