postgres 17 bans intermediate build artifacts from their dist tarballs

[kpcyrd]

Dear list,

I brought this up on irc but figured it's worth mentioning this on the 
mailing list too:

https://peter.eisentraut.org/blog/2024/08/13/the-new-postgresql-17-make-dist

They explicitly mention the XZ backdoor incident, and I'd like to highlight:

 > Anyway, with PostgreSQL 17, this is changed. The tarball generation is
 > still invoked by calling make dist, but that internally now calls git
 > archive. git archive packs the files belonging to a given Git commit
 > into a tar (or other) archive in a reproducible and verifiable way.
 > Therefore, if I now run make dist on a given commit (such as a release
 > tag), then I will get the exact same (bit-identical) tarball as the
 > next person.

Postgres 17 is currently in beta so I don't have any tarballs in 
whatsrc.org yet, but there's likely going to be a consensus around them 
among the different distros.

cheers,
kpcyrd