From: | Pavel Raiskup <praiskup(at)redhat(dot)com> |
---|---|
To: | pgsql-jdbc(at)postgresql(dot)org |
Cc: | Vladimir Sitnikov <sitnikov(dot)vladimir(at)gmail(dot)com>, John R Pierce <pierce(at)hogranch(dot)com> |
Subject: | Re: Wrong link not pointing to the release tarball |
Date: | 2016-01-24 09:37:32 |
Message-ID: | 1803287.19C3NChQ4V@nb.usersys.redhat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
On Friday 22 of January 2016 22:44:00 Vladimir Sitnikov wrote:
> John>ok, thats fine.
> John>sorry, I thought you were referring to pulling the whole source out of git.
>
> The missing part is the checksum & gpg.
> In other words, you have no idea what should be the checksum of the
> "tarball" you are about to download.
Right, this is really missing part -- especially the gpg signature.
Working with gpg should be rather manual job anyway :/. It really
outweighs the benefits of automatization.
Note that this thread grows from simple request: Please fix the http
link. Now I would raise humble request: Please don't change the release
tarball process. Optionally -- having gpg sign would be real improvement.
Pavel
> And you are not sure if the checksum itself came from a trusted source.
> Something like sha1sum.txt.asc should do the trick I suppose.
>
> Note: current https://jdbc.postgresql.org/download.html does not list
> checksums & signatures.
>
> I think I can configure addition of "sha1sum.txt.asc" files like in
> [1] to pgjdbc's releases page (see [2])
>
>
> Alternative source can be Maven Central (see [3]).
> It is a "standardized" repository with checksums and gpg signatures.
>
> However, if we pick Central as the source of the tarballs, then we'd
> better create yet another flavor of a tarball that would not include
> jar dependencies, etc, etc.
> In other words, "just a build-ready tarball" with no extra stuff.
> The drawback of that approach is that tarball would be a build
> artifact, and the upstream would never use it to produce "authentic"
> build artifacts.
>
>
> Any thoughts?
>
>
> [1]: https://github.com/syncthing/syncthing/releases
> [2]: https://github.com/pgjdbc/pgjdbc/releases
> [3]: https://oss.sonatype.org/content/repositories/releases/org/postgresql/postgresql/9.4.1207/
>
>
> Vladimir
>
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Pavel Raiskup | 2016-01-24 09:43:51 | Merge pgjdbc-parent-poms project into pgjdbc please |
Previous Message | Victor Wagner | 2016-01-24 09:18:32 | Re: Patch: Implement failover on libpq connect level. |