On Thu, 11 Jun 2026 at 01:42, Jacob Champion <[email protected]> wrote: > > On Wed, Jun 10, 2026 at 4:26 PM Andres Freund <[email protected]> wrote: > > Isn't that a rather bogus complaint? After all, pacman is then used to > > install > > a lot of stuff that's under control of the msys2/ org. And the github images > > *also* install msys2 releases that are under control of the msys2/ org. So > > what increase in safety are we gaining by implementing this ourselves? > > 1) It depends on whether you think it's as easy to poison upstream > MSYS servers as it is to poison a mutable GitHub tag. > 2) I think we should *also* move away from live installs of the latest > versions of stuff, but that seems like a much heavier lift than just > pinning a tag, which is easy. > > The goal isn't to completely avoid trusting any other software > organizations, but to avoid letting a GitHub supply chain attack > spread like wildfire.
I don't really understand what actual problem is that you're trying to protect against. i.e. what's the worst thing that a hostile takeover of the msys github action (or any other action for that matter) can result in? We already allow anyone to run arbitrary CI on the postgresql-cfbot repo by simply submitting a patch to the mainlinglist. This seems fine, since we don't have any secrets associated with the repo. Neither do we have any secrets on the postgres/postgres repo. Usually what these attacks target secrets used to deploy or publish releases. Our repos don't do any of that.
