From: | Vladimir Sitnikov <sitnikov(dot)vladimir(at)gmail(dot)com> |
---|---|
To: | John R Pierce <pierce(at)hogranch(dot)com> |
Cc: | List <pgsql-jdbc(at)postgresql(dot)org> |
Subject: | Re: Wrong link not pointing to the release tarball |
Date: | 2016-01-22 19:44:00 |
Message-ID: | CAB=Je-GF+_=M8yTT1WwhhLVQAaEPS7kdiVxETDXGQ5SKsJfU8A@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
John>ok, thats fine.
John>sorry, I thought you were referring to pulling the whole source out of git.
The missing part is the checksum & gpg.
In other words, you have no idea what should be the checksum of the
"tarball" you are about to download.
And you are not sure if the checksum itself came from a trusted source.
Something like sha1sum.txt.asc should do the trick I suppose.
Note: current https://jdbc.postgresql.org/download.html does not list
checksums & signatures.
I think I can configure addition of "sha1sum.txt.asc" files like in
[1] to pgjdbc's releases page (see [2])
Alternative source can be Maven Central (see [3]).
It is a "standardized" repository with checksums and gpg signatures.
However, if we pick Central as the source of the tarballs, then we'd
better create yet another flavor of a tarball that would not include
jar dependencies, etc, etc.
In other words, "just a build-ready tarball" with no extra stuff.
The drawback of that approach is that tarball would be a build
artifact, and the upstream would never use it to produce "authentic"
build artifacts.
Any thoughts?
[1]: https://github.com/syncthing/syncthing/releases
[2]: https://github.com/pgjdbc/pgjdbc/releases
[3]: https://oss.sonatype.org/content/repositories/releases/org/postgresql/postgresql/9.4.1207/
Vladimir
From | Date | Subject | |
---|---|---|---|
Next Message | Thom Brown | 2016-01-23 03:32:26 | Re: Patch: Implement failover on libpq connect level. |
Previous Message | Alvaro Herrera | 2016-01-22 19:36:15 | Re: Patch: Implement failover on libpq connect level. |