Re: Heads Up: cirrus-ci is shutting down June 1st

On Thu, 11 Jun 2026 at 01:42, Jacob Champion
<jacob(dot)champion(at)enterprisedb(dot)com> wrote:
>
> On Wed, Jun 10, 2026 at 4:26 PM Andres Freund <andres(at)anarazel(dot)de> wrote:
> > Isn't that a rather bogus complaint? After all, pacman is then used to install
> > a lot of stuff that's under control of the msys2/ org. And the github images
> > *also* install msys2 releases that are under control of the msys2/ org. So
> > what increase in safety are we gaining by implementing this ourselves?
>
> 1) It depends on whether you think it's as easy to poison upstream
> MSYS servers as it is to poison a mutable GitHub tag.
> 2) I think we should *also* move away from live installs of the latest
> versions of stuff, but that seems like a much heavier lift than just
> pinning a tag, which is easy.
>
> The goal isn't to completely avoid trusting any other software
> organizations, but to avoid letting a GitHub supply chain attack
> spread like wildfire.

I don't really understand what actual problem is that you're trying to
protect against. i.e. what's the worst thing that a hostile takeover
of the msys github action (or any other action for that matter) can
result in?

We already allow anyone to run arbitrary CI on the postgresql-cfbot
repo by simply submitting a patch to the mainlinglist. This seems
fine, since we don't have any secrets associated with the repo.
Neither do we have any secrets on the postgres/postgres repo. Usually
what these attacks target secrets used to deploy or publish releases.
Our repos don't do any of that.