| From: | Simon Riggs <simon(at)2ndQuadrant(dot)com> |
|---|---|
| To: | Dave Page <dpage(at)pgadmin(dot)org> |
| Cc: | Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Scott Mead <scottm(at)openscg(dot)com>, "pgsql-www(at)postgresql(dot)org" <pgsql-www(at)postgresql(dot)org> |
| Subject: | Re: Linux Downloads page change |
| Date: | 2012-07-09 14:50:22 |
| Message-ID: | CA+U5nMJK9tqQ8L299nuZw_hrL-4COy1CnWdJAXSrczzNyqfqRg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On 9 July 2012 13:05, Dave Page <dpage(at)pgadmin(dot)org> wrote:
> Right - that's more or less what's been discussed and agreed. The
> issue with the installers that Magnus raised, is that at present I
> manually push the canonical GIT repo to git.postgresql.org, and often
> forget to do it until reminded. That was raised in response to my
> comment that the OpenSCG build scripts are not currently public at all
> as far as I could see, and should be if their work is to be listed on
> postgresql.org's primary downloads page.
It's not more or less. What you have said is not the same thing as I
have requested.
If it was done as I suggest, when you forget a step in the process
then the process would fail.
If you build from the public repo then you simply can't forget.
>> Unverifiable binaries are a quality and security risk to the project.
>
> In theory. In practice it seems unlikely anyone would ever take the
> time and energy to build them themselves and actually verify them -
> the effort to do so would be huge (for example, assembling the 9.2
> build machine for the installers and building all the necessary
> dependencies for all the supported platforms etc. has so far taken a
> number of man weeks). To verify the binaries we put out, someone would
> have to build an exact mirror of that environment. That's not to say
> it shouldn't be possible of course. In fact, it wouldn't even be
> possible, as we digitally sign some of the executables to appease
> Windows, and we obviously cannot share that certificate.
I know multiple users (aside from 2ndQuadrant) that re-build their own
binaries as a safety barrier in their release process, so I don't
believe the effort level is that high, nor do I believe people won't
do it. I take your point that it is maybe only 1% of people, but those
are the ones that report all the bugs.
The most important thing is that people can see the ingredients before
they eat the food.
--
Simon Riggs http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2012-07-09 15:02:35 | Re: Linux Downloads page change |
| Previous Message | Scott Mead | 2012-07-09 14:30:12 | Re: Linux Downloads page change |