public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bruce Momjian <[email protected]>
To: Robert Haas <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Subject: Re: Security lessons from liblzma
Date: Mon, 8 Apr 2024 22:57:27 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+TgmoY8RCvkWWVgHWAEvNq=M-M4Jz49jc0eagxgKTkqWOgc3w@mail.gmail.com>
References: <[email protected]>
<[email protected]>
<CA+TgmoY8RCvkWWVgHWAEvNq=M-M4Jz49jc0eagxgKTkqWOgc3w@mail.gmail.com>
On Sat, Mar 30, 2024 at 04:50:26PM -0400, Robert Haas wrote:
> An awful lot of what we do operates on the principle that we know the
> people who are involved and trust them, and I'm glad we do trust them,
> but the world is full of people who trusted somebody too much and
> regretted it afterwards. The fact that we have many committers rather
> than a single maintainer probably reduces risk at least as far as the
> source repository is concerned, because there are more people paying
> attention to potentially notice something that isn't as it should be.
One unwritten requirement for committers is that we are able to
communicate with them securely. If we cannot do that, they potentially
could be forced by others, e.g., governments, to add code to our
repositories.
Unfortunately, there is on good way for them to communicate with us
securely once they are unable to communicate with us securely. I
suppose some special word could be used to communicate that status ---
that is how it was done in non-electronic communication in the past.
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
view thread (14+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Security lessons from liblzma
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox