Re: Linux Downloads page change
От | Magnus Hagander |
---|---|
Тема | Re: Linux Downloads page change |
Дата | |
Msg-id | CABUevEwCpo1zXbS62fpRNDJEJi_qvRLoEJjKjFb24E1M6eyE_A@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: Linux Downloads page change (Dave Page <dpage@pgadmin.org>) |
Ответы |
Re: Linux Downloads page change
|
Список | pgsql-www |
On Mon, Jul 9, 2012 at 2:05 PM, Dave Page <dpage@pgadmin.org> wrote: > On Mon, Jul 9, 2012 at 12:41 PM, Simon Riggs <simon@2ndquadrant.com> wrote: >> On 9 July 2012 12:31, Devrim GÜNDÜZ <devrim@gunduz.org> wrote: >>> >>> Hi Simon, >>> >>> On Mon, 2012-07-09 at 12:25 +0100, Simon Riggs wrote: >>> >>>> I am discussing the relationship of SRPMs and RPMs, which is a valid >>>> point on this thread given the point that the RPMs and SRPMs have been >>>> mismatched for some time and that the current process calls for manual >>>> rather than automatic synchronisation. >>> >>> Which SRPMs are you talking about? Community SRPMs? If so, they have >>> been always available on the website. If you are talking about OpenSCG >>> RPMs, that is a different thing. >> >> My words were a little unclear all round, please accept my apologies. >> >> IMHO we should only list binaries on the postgresql.org website if >> they are derived from build information that is owned by the PGDG, or >> at very least publicly available at the time of the build and likely >> to remain so afterwards. That process should be automatic as far as >> possible, to minimise error, since the number of users of those >> binaries is now very large. > > Right - that's more or less what's been discussed and agreed. The > issue with the installers that Magnus raised, is that at present I > manually push the canonical GIT repo to git.postgresql.org, and often > forget to do it until reminded. That was raised in response to my > comment that the OpenSCG build scripts are not currently public at all > as far as I could see, and should be if their work is to be listed on > postgresql.org's primary downloads page. FWIW, the listing they have *now* is cleraly under "third party distributions", so I don't think there's a problem with that one. It also holds bitnami stuff. The point here is the *primary* download pages (i'll make that plural since it was broken up a bit extra lately). >> Unverifiable binaries are a quality and security risk to the project. > > In theory. In practice it seems unlikely anyone would ever take the > time and energy to build them themselves and actually verify them - > the effort to do so would be huge (for example, assembling the 9.2 > build machine for the installers and building all the necessary > dependencies for all the supported platforms etc. has so far taken a > number of man weeks). To verify the binaries we put out, someone would > have to build an exact mirror of that environment. That's not to say > it shouldn't be possible of course. In fact, it wouldn't even be > possible, as we digitally sign some of the executables to appease > Windows, and we obviously cannot share that certificate. It should be possible, and it's a much smaller (though not necessarily small) effort if you only want to verify *one* version on *one* platform with *one* subset of modules. -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
В списке pgsql-www по дате отправления: