tembo-io / trunk

Package manager and registry for Postgres extensions
PostgreSQL License
257 stars 17 forks source link

Document security issues re using prebuilt extensions #623

Open ibotty opened 9 months ago

ibotty commented 9 months ago

Who can upload built extensions, are they signed and by whom?

ianstanton commented 9 months ago

Hey there! Thanks for opening this. We need to document how users can add extensions to the registry :) Here is an example of the general flow:

Opening a PR like this will build and test the extension in CI, and publish on merge to main.

ibotty commented 9 months ago

Thank you for your answer. That does give some context.

Am I right that there is nothing in place regarding reproducable builds yet? It would be great to independently verify the binaries.

What I am after with this bug report is first that it's documented so people know what they are getting into and make it easier to identify things to improve.