This project is used by lots of other projects it seems, but it is entirely unclear to me what the security assumptions for downloading these postgres binaries are.
Is it possible to have a checksum on a specific downloaded artifact or is this published somewhere, and what is the best practice to protect against supply chain attacks when using these builds?
A section in the README discussing these points would be great.
This project is used by lots of other projects it seems, but it is entirely unclear to me what the security assumptions for downloading these postgres binaries are.
Is it possible to have a checksum on a specific downloaded artifact or is this published somewhere, and what is the best practice to protect against supply chain attacks when using these builds?
A section in the README discussing these points would be great.