Re: Heads Up: cirrus-ci is shutting down June 1st

Hi,

On 2026-06-10 16:42:22 -0700, Jacob Champion wrote:
> On Wed, Jun 10, 2026 at 4:26 PM Andres Freund <andres(at)anarazel(dot)de> wrote:
> > Isn't that a rather bogus complaint? After all, pacman is then used to install
> > a lot of stuff that's under control of the msys2/ org. And the github images
> > *also* install msys2 releases that are under control of the msys2/ org. So
> > what increase in safety are we gaining by implementing this ourselves?
>
> 1) It depends on whether you think it's as easy to poison upstream
> MSYS servers as it is to poison a mutable GitHub tag.

It's just as easy I think.

> 2) I think we should *also* move away from live installs of the latest
> versions of stuff, but that seems like a much heavier lift than just
> pinning a tag, which is easy.

I think you maybe understimate the noise of constant "bump version of xzy"
commits across N branches.

> The goal isn't to completely avoid trusting any other software
> organizations, but to avoid letting a GitHub supply chain attack
> spread like wildfire.

I guess I just don't see the supply chain danger here. This is for testing,
not for making releases. What's the threat model in which attacking postgres'
CI helps you spread the attack further?

Greetings,

Andres Freund