On Friday 22 of January 2016 22:44:00 Vladimir Sitnikov wrote:
> John>ok, thats fine.
> John>sorry, I thought you were referring to pulling the whole source out of git.
>
> The missing part is the checksum & gpg.
> In other words, you have no idea what should be the checksum of the
> "tarball" you are about to download.
Right, this is really missing part -- especially the gpg signature.
Working with gpg should be rather manual job anyway :/. It really
outweighs the benefits of automatization.
Note that this thread grows from simple request: Please fix the http
link. Now I would raise humble request: Please don't change the release
tarball process. Optionally -- having gpg sign would be real improvement.
Pavel
> And you are not sure if the checksum itself came from a trusted source.
> Something like sha1sum.txt.asc should do the trick I suppose.
>
> Note: current https://jdbc.postgresql.org/download.html does not list
> checksums & signatures.
>
> I think I can configure addition of "sha1sum.txt.asc" files like in
> [1] to pgjdbc's releases page (see [2])
>
>
> Alternative source can be Maven Central (see [3]).
> It is a "standardized" repository with checksums and gpg signatures.
>
> However, if we pick Central as the source of the tarballs, then we'd
> better create yet another flavor of a tarball that would not include
> jar dependencies, etc, etc.
> In other words, "just a build-ready tarball" with no extra stuff.
> The drawback of that approach is that tarball would be a build
> artifact, and the upstream would never use it to produce "authentic"
> build artifacts.
>
>
> Any thoughts?
>
>
> [1]: https://github.com/syncthing/syncthing/releases
> [2]: https://github.com/pgjdbc/pgjdbc/releases
> [3]: https://oss.sonatype.org/content/repositories/releases/org/postgresql/postgresql/9.4.1207/
>
>
> Vladimir
>
>
>