Re: How to coordinate web team for security releases?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Tom Lane <[email protected]>
To: David Fetter <[email protected]>
Cc: Josh Berkus <[email protected]>
Cc: [email protected]
Subject: Re: How to coordinate web team for security releases?
Date: Mon, 05 Feb 2007 16:38:37 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>

David Fetter <[email protected]> writes:
> I think we need to separate this into two issues:

> 1. Publishing vulnerabilities only after we've distributed the fix, and

> 2. Publishing the fact that a minor point release is on its way in
> order that organizations be able to schedule upgrades.

We already have a solution to #2, which is to say the private
pgsql-packagers mail list.

Usually, we also let pgsql-hackers know of a planned release cycle, but
since this one was so soon after the last one, it would've been pretty
obvious that a security issue was driving it.

I see the leakage points in this case as being

* Dave (and Devrim too) making commits that made it obvious something
was afoot.  They could and should have used the Security: filter that
Marc set up to cause those messages to be held for moderator approval.

* Josh using pgsql-www to notify the web team.  I had had the idea that
pgsql-www was supposed to be closed-subscription, so I didn't think
anything of it at the time, but that's evidently wrong.  Fixing that
leak is the point of this discussion.

Note that we did all right in terms of not leaking the details of the
problems; it was just the fact of a pending release that got out.
So for a first try in this direction it wasn't bad.  But let's try to
improve matters for next time...

			regards, tom lane

view thread (50+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: How to coordinate web team for security releases?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox