The new PostgreSQL 17 make dist
PostgreSQL 17 improves tarball creation by using `git archive`, enhancing reproducibility and traceability while addressing previous complexities and security concerns, though challenges in complete reproducibility remain.
Read original article
PostgreSQL 17 introduces significant changes to the process of creating source code tarballs, which are essential for software distribution. Previously, the tarball creation involved a complex system that included prebuilt files, which complicated maintenance and raised concerns about reproducibility and security. The new approach utilizes the `git archive` command, allowing for a reproducible and verifiable tarball generation directly from a specific Git commit. This change enhances the integrity of the software supply chain, as users can now trace the tarball back to the exact Git repository, ensuring consistency across builds. The transition to this method addresses historical issues related to build output management and the need for a clean source environment. While the new system is a step forward, challenges remain, particularly regarding reproducible builds in all scenarios and the traceability of code origins in the Git repository. Future improvements may include implementing signed commits to further enhance security and integrity.
- PostgreSQL 17 changes tarball creation to use `git archive` for reproducibility.
- The new method improves software supply chain integrity and traceability.
- Previous tarball creation methods were complex and raised security concerns.
- Challenges remain in achieving complete reproducibility and tracking code origins.
- Future enhancements may include the use of signed commits for better security.
Related
Things I know about Git commits
The article delves into Git commit insights over 12 years, stressing well-crafted messages, rebase-merging benefits, atomic commits, and effective documentation. It highlights commit messages' impact on collaboration, code maintenance, and project management.
Love, Death and PostgreSQL Triggers (2022)
The GitGuardian engineering team replaced PostgreSQL triggers with Celery tasks to address performance issues. Triggers caused unexpected behavior and complexities, leading to a shift towards simpler asynchronous computation methods for better performance.
Highlights from Git 2.46
Git 2.46 has been released with contributions from 96 contributors, introducing pseudo-merge bitmaps, enhanced credential helpers, and a new git config command, alongside various bug fixes and improvements.
Postgres stores data on disk – this one's a page turner
PostgreSQL stores data in a structured directory at /var/lib/postgresql/data, containing essential subdirectories and files for database operations, access control, statistics, and transaction management, aiding developers in data optimization.
Show HN: Pg_replicate – Build Postgres replication applications in Rust
pg_replicate is a Rust crate for PostgreSQL data replication, supporting logical streaming replication. It offers easy integration, a quickstart guide, and plans for future enhancements and additional data sinks.
9 commentsGenerated output, vendored source trees, etc. aren't, or can't be, meaningfully audited as part of a code review process, so they're basically merged without real audit or verification.
My personal preference is never to include generated output in a repository or tarball, including e.g. autoconf/automake scripts. This is directly contrary to the advice of the autotools documentation, which wants people to ship these unauditably gargantuan and obtuse generated scripts as part of tarballs... an approach which created an ideal space for things like the XZ backdoor.
There is a learning curve for either Nix or Guix that puts many off. However its not that steep, certainly it is many orders of magnitude easier than maintaining PostgreSQL, and once you are over that you no longer need to do things like keeping a dedicated clean machine just to pack a tarball. Write the derivation and anyone, anywhere, on any machine can generate the exact same tarball with a one liner
The barrier caused by the initial steps of learning Nix/Guix is a shame because once you are over it, it is difficult to see why software is built any other way (the same may apply to bazel, but i have no experience with that).
Switching to `git archive` is fine, and you can add files to that, but https://github.com/postgres/postgres/blob/master/GNUmakefile... doesn't. So, I guess users now _have to_ run `autoreconf -fi`? No, because those are now committed in the source tree (https://github.com/postgres/postgres/blob/master/configure).
What is different about gzip and bzip2 that causes this?
What packages are they referring?
Related
Things I know about Git commits
The article delves into Git commit insights over 12 years, stressing well-crafted messages, rebase-merging benefits, atomic commits, and effective documentation. It highlights commit messages' impact on collaboration, code maintenance, and project management.
Love, Death and PostgreSQL Triggers (2022)
The GitGuardian engineering team replaced PostgreSQL triggers with Celery tasks to address performance issues. Triggers caused unexpected behavior and complexities, leading to a shift towards simpler asynchronous computation methods for better performance.
Highlights from Git 2.46
Git 2.46 has been released with contributions from 96 contributors, introducing pseudo-merge bitmaps, enhanced credential helpers, and a new git config command, alongside various bug fixes and improvements.
Postgres stores data on disk – this one's a page turner
PostgreSQL stores data in a structured directory at /var/lib/postgresql/data, containing essential subdirectories and files for database operations, access control, statistics, and transaction management, aiding developers in data optimization.
Show HN: Pg_replicate – Build Postgres replication applications in Rust
pg_replicate is a Rust crate for PostgreSQL data replication, supporting logical streaming replication. It offers easy integration, a quickstart guide, and plans for future enhancements and additional data sinks.