Hi Ed, Thanks for raising these important points regarding upstream alignment and sustainability within the Cloudberry ecosystem. We have not paid enough attention to these aspects in the past, and it is high time we address them to ensure the long-term health and security of our project. +1 to have one summary doc on this for further discussion.
Best, Dianjin Wang On Fri, Oct 17, 2025 at 12:55 AM Ed Espino <[email protected]> wrote: > > Hi all, > > I’d like to start a broader discussion about how we handle upstream > alignment > and sustainability across the Cloudberry ecosystem — including both the core > Cloudberry Database code base (currently based on PostgreSQL 14.4) and the > related repositories under the cloudberry-contrib organization such as > PostGIS > and MADlib. > > To clarify, these contrib repositories are not part of the Apache Cloudberry > (Incubating) project and are maintained independently to provide > compatibility > and integration with Cloudberry. However, the same long-term questions > apply: > how do we stay aligned with their upstream projects and ensure security and > maintenance practices remain strong? > > I know we are embarking on a PostgreSQL 16 merge effort, but what about our > main code base that is still based on PostgreSQL 14.4? The active upstream > series has now advanced to 14.19, which includes a number of cumulative > updates since 14.4. Understanding how we are tracking and applying relevant > changes from those releases would be valuable. > > A few areas where shared visibility could help us make progress include: > > - > > Upstream alignment: What is our approach for tracking upstream changes > and > updates from projects such as PostgreSQL, PostGIS, and MADlib? Are we > periodically reviewing and merging upstream fixes or enhancements into > the > related Cloudberry-compatible versions? > - > > CVE and security handling: Since Cloudberry is currently based on > PostgreSQL 14.4, and the active upstream series is now at 14.19, how are > we > monitoring CVEs and critical patches from the current PostgreSQL > releases? > Do we have a process for evaluating and applying those fixes in a timely > manner? > - > > Collaboration and contribution: Where possible, are we in contact with > the > upstream PostgreSQL, PostGIS, and MADlib communities to share feedback or > contribute improvements derived from Cloudberry work? > - > > Sustainability: Would it make sense to document a recurring “upstream > sync” > process, perhaps with identified maintainers or liaisons for key upstream > projects, to reduce divergence and improve visibility over time? > > The goal would be to ensure that Cloudberry and its associated components > remain secure, well-maintained, and aligned with the broader PostgreSQL > ecosystem. > > Happy to assist in drafting an outline or summary if there’s community > interest. > > Thanks, > -=e --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
