Message-ID: From: "vlsi (@vlsi)" To: "pgjdbc/pgjdbc" Date: Thu, 21 May 2026 12:49:29 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #4079: docs: spell out the proactive-security window in SECURITY.md In-Reply-To: References: List-Id: X-GitHub-Author-Login: vlsi X-GitHub-Comment-Id: 4508409832 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 4079 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/4079#issuecomment-4508409832 Content-Type: text/plain; charset=utf-8 On the signing isolation point, agreed, that's a real, separable win. Today the GPG signing key ends up materialised into the Gradle build, which means every plugin and every test dependency on the classpath is in a position to read it. Pulling signing into an isolated CI job with a narrow, audited software bill of materials would meaningfully shrink that attack surface. I'd back a refactor on that ground alone. Where I'd push back is on the claim that decoupling pre-empts the Sonatype-availability concern Dave raised. Whatever pipeline talks to Central still needs the same auth/URL change when OSSRH retires — a decoupled GHA + shell + publication-tool stack inherits that update just as the current Gradle config would. The refactor relocates the maintenance, it doesn't eliminate it. (And patches to back branches usually don't touch the build system anyway; the case where decoupling actually saves work is also the case where the decoupled pipeline itself needs updating.) --- Stepping back, though. Back to the PR itself. The policy isn't new: pgJDBC has been shipping multi-line CVE backports for years (CVE-2024-1597 landed on 42.7.2 / 42.6.1 / 42.5.5 / 42.4.4 / 42.3.9 / 42.2.28 / 42.2.28.jre7). What's been missing is an explicit answer to "for how long?". The PR just puts a number on it: 5 years past the next minor's .0, anchored to PostgreSQL's own 5-year support cycle so the driver doesn't lag the server. Publishing and signing isolation, Sonatype migration, build/publish decoupling is real but separate: how we ship vs for how long. Move it to a follow-up issue? Happy to open one and link back. Does 5y past next minor's .0 look right? Anything blocking on the formalisation itself?