Hi,
On 2024-03-30 16:50:26 -0400, Robert Haas wrote:
> We might also want to move toward signing commits and tags. One of the
> meson maintainers was recommending that on-list not long ago.
I don't know how valuable the commit signing really is, but I strongly agree
that we should sign both tags and tarballs.
> We should think about weaknesses that might occur during the packaging
> process, too. If someone who alleges that their packaging PG is really
> packaging PG w/badstuff123.patch, how would we catch that?
I don't think we realistically can. The environment, configure and compiler
options will influence things too much to do any sort of automatic
verification.
But that shouldn't stop us from ensuring that at least the packages
distributed via *.postgresql.org are reproducibly built.
Another good avenue for introducing an attack would be to propose some distro
specific changes to the packaging teams - there's a lot fewer eyes there. I
think it might be worth working with some of our packagers to integrate more
of their changes into our tree.
> I can't for example verify what the infrastructure team is doing, or what
> Tom does when he builds the release tarballs.
This one however, I think we could improve upon. Making sure the tarball
generation is completely binary reproducible and providing means of checking
that would surely help. This will be a lot easier if we, as dicussed
elsewhere, I believe, split out the generated docs into a separately
downloadable archive. We already stopped including other generated files
recently.
> We shouldn't make the mistake of assuming that bad things can't happen to
> us.
+1
Greetings,
Andres Freund