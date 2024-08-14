I think this is progress, if you care about software supply chain integrity. (It’s also a relief if you care about maintaining the build system.) There are certainly more things that could be done. One thing mentioned above is that reproducible builds don’t work for PostgreSQL in all situations. My understanding is that this needs to be fixed elsewhere, though. Another topic is more traceability about how things get into the Git repository. The make dist change only ensures that once code is in the Git repository, you can trace it from there, ideally all the way to the end user installation. There are, of course, various technical and social processes in the PostgreSQL developer community that monitor the integrity of the source code, but there is nothing currently that checks in a computerized, cryptographic way the origin of what goes into the Git repository. So something like signed commits might be worth looking into in the future in order to improve this further.