Re: Security lessons from liblzma
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Bruce Momjian <bruce@momjian.us>
Cc: Andres Freund <andres@anarazel.de>, Michael Banck <mbanck@gmx.net>, Devrim Gündüz <devrim@gunduz.org>, Joe Conway <mail@joeconway.com>, Robert Haas <robertmhaas@gmail.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2024-04-01T21:03:28Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Introduce a non-recursive JSON parser
- 3311ea86edc7 17.0 cited
Bruce Momjian <bruce@momjian.us> writes: > On Mon, Apr 1, 2024 at 03:17:55PM -0400, Tom Lane wrote: >> AFAIK, every open-source distro makes all the pieces needed to >> rebuild their packages available to users. It wouldn't be much >> of an open-source situation otherwise. You do have to learn >> their package build process. > I wasn't clear if all the projects provide a source tree that can be > verified against the project's source tree, and then independent > patches, or if the patches were integrated and therefore harder to > verify against the project source tree. In the systems I'm familiar with, an SRPM-or-equivalent includes the pristine upstream tarball and then some patch files to apply to it. The patch files have to be maintained anyway, and if you don't ship them then you're not shipping "source". regards, tom lane