Received: from localhost (maia-4.hub.org [200.46.204.183])
	by postgresql.org (Postfix) with ESMTP id 81F7A9FB2FD
	for <pgsql-www-postgresql.org@postgresql.org>;
	Mon,  5 Feb 2007 17:38:44 -0400 (AST)
Received: from postgresql.org ([200.46.204.71])
	by localhost (mx1.hub.org [200.46.204.183]) (amavisd-new, port 10024)
	with ESMTP id 44034-07 for <pgsql-www-postgresql.org@postgresql.org>;
	Mon,  5 Feb 2007 17:38:41 -0400 (AST)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.4
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
	by postgresql.org (Postfix) with ESMTP id 81F229FB249
	for <pgsql-www@postgresql.org>; Mon,  5 Feb 2007 17:38:41 -0400 (AST)
Received: from sss2.sss.pgh.pa.us (tgl@localhost [127.0.0.1])
	by sss.pgh.pa.us (8.13.6/8.13.6) with ESMTP id l15Lcbbq020477;
	Mon, 5 Feb 2007 16:38:37 -0500 (EST)
To: David Fetter <david@fetter.org>
cc: Josh Berkus <josh@agliodbs.com>, pgsql-www@postgresql.org
Subject: Re: How to coordinate web team for security releases? 
In-reply-to: <20070205210315.GA7988@fetter.org> 
References: <200702051128.13819.josh@agliodbs.com>
	<20070205210315.GA7988@fetter.org>
Comments: In-reply-to David Fetter <david@fetter.org>
	message dated "Mon, 05 Feb 2007 13:03:15 -0800"
Date: Mon, 05 Feb 2007 16:38:37 -0500
Message-ID: <20476.1170711517@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Archive-Number: 200702/49
X-Sequence-Number: 11454

David Fetter <david@fetter.org> writes:
> I think we need to separate this into two issues:

> 1. Publishing vulnerabilities only after we've distributed the fix, and

> 2. Publishing the fact that a minor point release is on its way in
> order that organizations be able to schedule upgrades.

We already have a solution to #2, which is to say the private
pgsql-packagers mail list.

Usually, we also let pgsql-hackers know of a planned release cycle, but
since this one was so soon after the last one, it would've been pretty
obvious that a security issue was driving it.

I see the leakage points in this case as being

* Dave (and Devrim too) making commits that made it obvious something
was afoot.  They could and should have used the Security: filter that
Marc set up to cause those messages to be held for moderator approval.

* Josh using pgsql-www to notify the web team.  I had had the idea that
pgsql-www was supposed to be closed-subscription, so I didn't think
anything of it at the time, but that's evidently wrong.  Fixing that
leak is the point of this discussion.

Note that we did all right in terms of not leaking the details of the
problems; it was just the fact of a pending release that got out.
So for a first try in this direction it wasn't bad.  But let's try to
improve matters for next time...

			regards, tom lane