Re: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g. -fcf-protection=full

From: Matthias van de Meent <boekewurm+postgres(at)gmail(dot)com>
To: Hans Buschmann <buschmann(at)nidsa(dot)net>
Cc: Peter Eisentraut <peter(at)eisentraut(dot)org>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g. -fcf-protection=full
Date: 2026-07-08 15:49:16
Message-ID: CAEze2WjW5=hsvv3TryLqM8cnvaoPA6rT5aROD85vsbOaqcCEgQ@mail.gmail.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi Hans,

On Wed, 8 Jul 2026 at 13:24, Hans Buschmann <buschmann(at)nidsa(dot)net> wrote:
>
> Thank you for pointing me to the pg_config options. I didn't know and will take a look.

No problem!

> > If the normal user cannot handle compiler options, then should they
> > really be self-compiling PostgreSQL with custom compiler options, for
> > a platform that already has pre-compiled binary distributions?
>
> As already mentioned in my original post, there are some cases a "normal" user (in my terminology it is a db responsible not experienced with C programming practice) may use a manual recompile:
>
> The user should be able to recompile the package (which is really very easy with meson after some setup of developer packages) without deeper knowledge of C programming with the original configuration of the distribution.

I agree, and generally, they are able to do that when they have the
original configuration of the distribution.

However, what you're asking here is that we, in the postgresql.git
repository, supply "the original configuration of the distribution".
That's not part of the scope of the postgresql.git repository.
Packagers are downstream consumers of our repository, and their
specific configurations are therefore not part of the main PG git
repository.

If you have problems with PGDG's binary distributions, or otherwise
questions (e.g. how to build your own binaries in a way that's
compatible with distributed versions), there are various channels you
can use to contact the packagers. For example, the apt repo's
maintainers can be contacted with the details found at
https://apt.postgresql.org#Contact

Kind regards,

Matthias van de Meent
Databricks (https://www.databricks.com)

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Heikki Linnakangas 2026-07-08 15:49:47 Re: Can we get rid of TerminateThread() in pg_dump?
Previous Message Zsolt Parragi 2026-07-08 15:42:03 Re: Proposal: new file format for hba/ident/hosts configuration?