Hi
On Mon, 2012-07-09 at 12:41 +0100, Simon Riggs wrote:
> IMHO we should only list binaries on the postgresql.org website if
> they are derived from build information that is owned by the PGDG, or
> at very least publicly available at the time of the build and likely
> to remain so afterwards.
I agree with this.
> That process should be automatic as far as possible, to minimise
> error, since the number of users of those binaries is now very large.
*Community RPMs* are more or less automated: There are some steps that
has to be done manually: Updating spec files, signing RPMs, performing
QA and then pushing to the repositories. Currently, when we build an
RPM, it passes through 3 separate tubes until it reaches final position.
We do the QA on first two tubes, since the last rsync is just a mirror
of the staging repository.
> Unverifiable binaries are a quality and security risk to the project.
Agreed -- and that is what me, Dave, etc., also think.
Regards,
--
Devrim GÜNDÜZ
Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com
PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
Community: devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.gunduz.org Twitter: http://twitter.com/devrimgunduz