On Wed, Jun 10, 2026 at 4:26 PM Andres Freund <[email protected]> wrote: > Isn't that a rather bogus complaint? After all, pacman is then used to install > a lot of stuff that's under control of the msys2/ org. And the github images > *also* install msys2 releases that are under control of the msys2/ org. So > what increase in safety are we gaining by implementing this ourselves?
1) It depends on whether you think it's as easy to poison upstream MSYS servers as it is to poison a mutable GitHub tag. 2) I think we should *also* move away from live installs of the latest versions of stuff, but that seems like a much heavier lift than just pinning a tag, which is easy. The goal isn't to completely avoid trusting any other software organizations, but to avoid letting a GitHub supply chain attack spread like wildfire. > The reason I'm looking at it is that I was experimenting with using larger > runners for cfbot. Unfortunately they don't have a d:/ drive. Thus the mingw > task fails (there's also a sockdir issue, but that's trivial to fix). > > I started to fix this by just installing msys ourselves [1], which also turns > out to be faster than moving the install, but then I considered that to be > somewhat too wheel-reinvent-y, compared to ust using msys2/setup-msys2. > > Which lead me back here. To clarify: I'm not against using setup-msys2 if you think it's of good quality; I just thought the SHA should be pinned. --Jacob
