Skip to content

docs: eliminate false-capability claims + v1.0.12#29

Merged
postgresql007 merged 1 commit into
mainfrom
release/v1.0.12
Jul 16, 2026
Merged

docs: eliminate false-capability claims + v1.0.12#29
postgresql007 merged 1 commit into
mainfrom
release/v1.0.12

Conversation

@postgresql007

Copy link
Copy Markdown
Contributor

Follow-up to the managed-DBaaS fix (already on main): an audit for the whole "documents a capability that doesn't actually work" class, plus the v1.0.12 release.

Confirmed & fixed (this PR)

  • Rekor (internal/audit/transparency.go): comment claimed a rekor.Log implementation ships — it doesn't exist; only self-hosted StorageBackedLog does. Now "planned, post-v1.0".
  • PCI-DSS runbook (docs/compliance/pci-dss.md): instructed a QSA to verify an image-level SLSA attestation that isn't produced (image unpublished; image SLSA is roadmap). Added the caveat + a working blob/tarball slsa-verifier alternative.
  • FIPS artifact (docs/reference/build-flavours.md): "official pg-hardstorage-fips distribution artifact … out of the box" — no such artifact ships. Reworded to build-from-source + planned note.
  • SPEC packaging: Scoop and -fips/-pg-ext image variants listed as shipped → planned/gated.

Already on main (619a19d)

Managed DBaaS (RDS/Aurora/Cloud SQL/Azure/Neon/Supabase) false-support claims in the LLM README, SPEC, and sidecar chart — corrected to self-managed-only. This PR also fixes SPEC.md:97 (START_REPLICATION "works on managed PostgreSQL").

Audit result

The managed-DBaaS class is fully eliminated — every mention is now a negation; self-hosted/self-managed is the only supported target. Verified-accurate claims (Windows hedging, CNPG-I roadmap, compat shims build-from-source, Helm OCI unpublished, logical-decoding pgoutput on managed PG) were left untouched.

No behaviour change; go build ./... clean. CHANGELOG + doc versions bumped to 1.0.12.

Follow-up audit for the "documents a capability that doesn't work"
class (prompted by the managed-DBaaS claims). Beyond the DBaaS fixes
already on main, corrected:

- internal/audit/transparency.go: the TransparencyLog comment claimed
  a rekor.Log implementation ships; only self-hosted StorageBackedLog
  exists — external Rekor is post-v1.0 roadmap. Reworded to "planned".
- docs/compliance/pci-dss.md: the QSA evidence-bundle runbook told
  auditors to verify an image-level SLSA attestation that isn't
  produced (image unpublished; image SLSA is roadmap). Added the
  caveat + a working blob/tarball slsa-verifier alternative.
- docs/reference/build-flavours.md: dropped the "official
  pg-hardstorage-fips distribution artifact ... out of the box"
  framing (no such artifact ships) → build-from-source + planned note.
- SPEC.md: Scoop and -fips/-pg-ext container image variants were
  listed as shipped; marked planned/gated.

Audit confirmed the managed-DBaaS class is fully eliminated (every
RDS/Aurora/Cloud SQL/Azure/Neon/Supabase mention is now a negation;
self-hosted/self-managed remains the only supported target).

Release prep: CHANGELOG 1.0.12 and doc version examples bumped.
@postgresql007
postgresql007 merged commit 3671a18 into main Jul 16, 2026
3 checks passed
@postgresql007
postgresql007 deleted the release/v1.0.12 branch July 16, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant