Add a security section to the Readme #81
Labels
Comments
|
Thanks for your question about the security of downloading Postgres binaries. The binaries are available as Maven packages through the Maven Central repository, where all artifacts are digitally signed to ensure their integrity and authenticity. You can also check the source code and build scripts in the repository to see exactly how the binaries are created. This should give you peace of mind, knowing you can verify the entire process. If you still have concerns, you can always build the binaries yourself from the source files. This way, you have full control and can ensure everything is secure. If you have any more questions or need more info, just let me know. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This project is used by lots of other projects it seems, but it is entirely unclear to me what the security assumptions for downloading these postgres binaries are.
Is it possible to have a checksum on a specific downloaded artifact or is this published somewhere, and what is the best practice to protect against supply chain attacks when using these builds?
A section in the README discussing these points would be great.
The text was updated successfully, but these errors were encountered: