Quick Links

Re: Security lessons from liblzma

From:	Joe Conway <mail(at)joeconway(dot)com>
To:	Bruce Momjian <bruce(at)momjian(dot)us>
Cc:	Andres Freund <andres(at)anarazel(dot)de>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: Security lessons from liblzma
Date:	2024-03-31 12:15:59
Message-ID:	3b901431-2859-440a-9e7f-cc7b303fab83@joeconway.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

On 3/30/24 21:52, Bruce Momjian wrote:
> On Sat, Mar 30, 2024 at 07:54:00PM -0400, Joe Conway wrote:
>> Virtually every RPM source, including ours, contains out of tree patches
>> that get applied on top of the release tarball. At least for the PGDG
>> packages, it would be nice to integrate them into our git repo as build
>> options or whatever so that the packages could be built without any patches
>> applied to it. Add a tarball that is signed and traceable back to the git
>> tag, and we would be in a much better place than we are now.
>
> How would someone access the out-of-tree patches? I think Debian
> includes the patches in its source tarball.

I am saying maybe those patches should be eliminated in favor of our
tree including build options that would produce the same result.

For example, these patches are applied to our release tarball files when
the RPM is being built for pg16 on RHEL 9:

-----
https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-rpm-pgsql.patch;h=d9b6d12b7517407ac81352fa325ec91b05587641;hb=HEAD

https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-var-run-socket.patch;h=f2528efaf8f4681754b20283463eff3e14eedd39;hb=HEAD

https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-conf.patch;h=da28ed793232316dd81fdcbbe59a6479b054a364;hb=HEAD

https://git.postgresql.org/gitweb/?p=pgrpms.git;a=blob;f=rpm/redhat/main/non-common/postgresql-16/main/postgresql-16-perl-rpath.patch;h=748c42f0ec2c9730af3143e90e5b205c136f40d9;hb=HEAD
-----

Nothing too crazy, but wouldn't it be better if no patches were required
at all?

Ideally we should have reproducible builds so that starting with our
tarball (which is traceable back to the git release tag) one can easily
obtain the same binary as what the RPMs/DEBs deliver.

--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

In response to

Re: Security lessons from liblzma at 2024-03-31 01:52:47 from Bruce Momjian

Responses

Re: Security lessons from liblzma at 2024-03-31 15:40:20 from Devrim Gündüz
Re: Security lessons from liblzma at 2024-03-31 15:49:51 from Tom Lane

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Marcos Pegoraro	2024-03-31 13:22:15	Add column name to error description
Previous Message	Corey Huinker	2024-03-31 11:17:26	Re: Statistics Import and Export