Re: Heads Up: cirrus-ci is shutting down June 1st
Andres Freund <andres@anarazel.de>
From: Andres Freund <andres@anarazel.de>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Nazir Bilal Yavuz <byavuz81@gmail.com>, Jelte Fennema-Nio <postgres@jeltef.nl>,
Thomas Munro <thomas.munro@gmail.com>, pgsql-hackers@postgresql.org, Zsolt Parragi <zsolt.parragi@percona.com>, Peter Eisentraut <peter@eisentraut.org>
Date: 2026-06-11T13:09:34Z
Lists: pgsql-hackers
Hi, On 2026-06-10 16:42:22 -0700, Jacob Champion wrote: > On Wed, Jun 10, 2026 at 4:26 PM Andres Freund <andres@anarazel.de> wrote: > > Isn't that a rather bogus complaint? After all, pacman is then used to install > > a lot of stuff that's under control of the msys2/ org. And the github images > > *also* install msys2 releases that are under control of the msys2/ org. So > > what increase in safety are we gaining by implementing this ourselves? > > 1) It depends on whether you think it's as easy to poison upstream > MSYS servers as it is to poison a mutable GitHub tag. It's just as easy I think. > 2) I think we should *also* move away from live installs of the latest > versions of stuff, but that seems like a much heavier lift than just > pinning a tag, which is easy. I think you maybe understimate the noise of constant "bump version of xzy" commits across N branches. > The goal isn't to completely avoid trusting any other software > organizations, but to avoid letting a GitHub supply chain attack > spread like wildfire. I guess I just don't see the supply chain danger here. This is for testing, not for making releases. What's the threat model in which attacking postgres' CI helps you spread the attack further? Greetings, Andres Freund
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
ci: Add GitHub Actions based CI
- 9c126063b19a 19 (unreleased) landed
-
ci: Remove support for cirrus-ci based CI
- 68c8a365d4dc 19 (unreleased) landed