Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qok7Q-002gYg-Tf for pgsql-www@arkaria.postgresql.org; Fri, 06 Oct 2023 12:39:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qok7O-006guz-Mv for pgsql-www@arkaria.postgresql.org; Fri, 06 Oct 2023 12:39:47 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qok7O-006gur-Fy for pgsql-www@lists.postgresql.org; Fri, 06 Oct 2023 12:39:47 +0000 Received: from smtp.outgoing.loopia.se ([93.188.3.37]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qok7L-000JMz-NS for pgsql-www@lists.postgresql.org; Fri, 06 Oct 2023 12:39:46 +0000 Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 6D9BD2FB5C45 for ; Fri, 6 Oct 2023 14:38:36 +0200 (CEST) Received: from s979.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 5D21C2E29329; Fri, 6 Oct 2023 14:38:36 +0200 (CEST) Received: from s470.loopia.se (unknown [172.22.191.5]) by s979.loopia.se (Postfix) with ESMTP id 5B52410BC412; Fri, 6 Oct 2023 14:38:36 +0200 (CEST) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -1 X-Spam-Level: X-Spam-Status: No, score=-1 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1] autolearn=disabled Received: from s934.loopia.se ([172.22.191.5]) by s470.loopia.se (s470.loopia.se [172.22.190.34]) (amavisd-new, port 10024) with LMTP id sc5zteNL8Pft; Fri, 6 Oct 2023 14:38:36 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: daniel@yesql.se X-Loopia-Originating-IP: 194.182.8.85 Received: from smtpclient.apple (unknown [194.182.8.85]) (Authenticated sender: daniel@yesql.se) by s934.loopia.se (Postfix) with ESMTPSA id D7CE17CEA9E; Fri, 6 Oct 2023 14:38:35 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Subject: Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list. From: Daniel Gustafsson In-Reply-To: Date: Fri, 6 Oct 2023 14:38:35 +0200 Cc: pgsql-www@lists.postgresql.org, Magnus Hagander Content-Transfer-Encoding: quoted-printable Message-Id: <433F3C16-B91E-45D1-8C5A-E1AAEAA2541C@yesql.se> References: <7F99AF5A-8D5D-47A3-B238-4E34004C3DFE@yesql.se> To: Akshat Jaimini X-Mailer: Apple Mail (2.3696.120.41.1.3) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On 6 Oct 2023, at 08:05, Akshat Jaimini wrote: >=20 > > Publishing this report to a website would handle that I think. > I had sent a proposal/tried to start a discussion for this a few days = earlier It would probably help if you could link to a report from a run of the = test suite. I clicked through the linked repo but I was unable to see an = example testrun. > > One question, would this test harness detect and report potential = security issues like XSS? > Security related tests were not added in the Gsoc timeline but we are = planning to add them. Maybe when we add those tests we can create a = separate section on the proposed website only available to some 'admins' = with all these sensitive reports being displayed there. For tests like that we must really think about scope, limiting the = report isn't useful if we publish the tests for anyone to run themselves and thus = generate the report. Malicious actors are no doubt probing the website = continuously regardless of this, but we don't necessarily need to do the job for = them. -- Daniel Gustafsson=