Hi all, I’d like to start a broader discussion about how we handle upstream alignment and sustainability across the Cloudberry ecosystem — including both the core Cloudberry Database code base (currently based on PostgreSQL 14.4) and the related repositories under the cloudberry-contrib organization such as PostGIS and MADlib.
To clarify, these contrib repositories are not part of the Apache Cloudberry (Incubating) project and are maintained independently to provide compatibility and integration with Cloudberry. However, the same long-term questions apply: how do we stay aligned with their upstream projects and ensure security and maintenance practices remain strong? I know we are embarking on a PostgreSQL 16 merge effort, but what about our main code base that is still based on PostgreSQL 14.4? The active upstream series has now advanced to 14.19, which includes a number of cumulative updates since 14.4. Understanding how we are tracking and applying relevant changes from those releases would be valuable. A few areas where shared visibility could help us make progress include: - Upstream alignment: What is our approach for tracking upstream changes and updates from projects such as PostgreSQL, PostGIS, and MADlib? Are we periodically reviewing and merging upstream fixes or enhancements into the related Cloudberry-compatible versions? - CVE and security handling: Since Cloudberry is currently based on PostgreSQL 14.4, and the active upstream series is now at 14.19, how are we monitoring CVEs and critical patches from the current PostgreSQL releases? Do we have a process for evaluating and applying those fixes in a timely manner? - Collaboration and contribution: Where possible, are we in contact with the upstream PostgreSQL, PostGIS, and MADlib communities to share feedback or contribute improvements derived from Cloudberry work? - Sustainability: Would it make sense to document a recurring “upstream sync” process, perhaps with identified maintainers or liaisons for key upstream projects, to reduce divergence and improve visibility over time? The goal would be to ensure that Cloudberry and its associated components remain secure, well-maintained, and aligned with the broader PostgreSQL ecosystem. Happy to assist in drafting an outline or summary if there’s community interest. Thanks, -=e
