Re: Problem with OpenSCG downloads

Bruce Momjian <bruce@momjian.us>

From: Bruce Momjian <bruce@momjian.us>
To: Andres Freund <andres@anarazel.de>
Cc: Justin Clift <justin@postgresql.org>, PostgreSQL www <pgsql-www@postgresql.org>
Date: 2018-08-17T02:39:11Z
Lists: pgsql-hackers
On Thu, Aug 16, 2018 at 09:25:36AM -0700, Andres Freund wrote:
> On 2018-08-16 16:32:00 +0100, Justin Clift wrote:
> > On 2018-08-16 16:25, Andres Freund wrote:
> > > FWIW, I find this pretty damning given that there's been new security
> > > release for a week: You've added no notes about it to the bigsql
> > > download page. Pinged nobody, to get the downloadlinks temporarily
> > > adorned with a warning on the pg site. And then there's the issue that
> > > the dates besides the releases on the download page are referencing the
> > > date of the newest set of minor releases, but aren't actually new.
> > > 
> > > This is ridiculously intransparent.
> > 
> > Is it fairly simple for us to just comment out/remove the links for now?
> > 
> > We don't want to be pointing people to software with known security issues.
> > 
> > We can put the links back in when the updated downloads are in place. :)
> 
> Probably don't want to remove them entirely, it might prevent people
> from upgrading from an even older release with more serious issues. But
> a red warning seems appropriate.

Agreed.  We need to do something _now_, and the fact that we are having
to discover this instead of OpenSCG telling us is a good reason to
suspect the use of this download site in the future.

Looking at their website now, does it show they now have the proper
binaries?

	https://www.openscg.com/bigsql/postgresql/installers/
	
	PostgreSQL 10.5 - Stable  (09-Aug-18)
	
	    postgresql-10.5-win64.exe
	    postgresql-10.5-osx64.dmg

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +


Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Remove test for VA_ARGS, implied by C99.

  2. Introduce minimal C99 usage to verify compiler support.

  3. Require C99 (and thus MSCV 2013 upwards).

  4. Require a C99-compliant snprintf(), and remove related workarounds.

  5. Try to enable C99 in configure, but do not rely on it (yet).

  6. Make snprintf.c follow the C99 standard for snprintf's result value.

  7. Clean up assorted misuses of snprintf()'s result value.