Received: from localhost (maia-4.hub.org [200.46.204.183])
	by postgresql.org (Postfix) with ESMTP id 8FDCC9FA06E
	for <pgsql-www-postgresql.org@postgresql.org>;
	Mon,  5 Feb 2007 16:00:13 -0400 (AST)
Received: from postgresql.org ([200.46.204.71])
	by localhost (mx1.hub.org [200.46.204.183]) (amavisd-new, port 10024)
	with ESMTP id 23995-02 for <pgsql-www-postgresql.org@postgresql.org>;
	Mon,  5 Feb 2007 16:00:04 -0400 (AST)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.4
Received: from cronos.madness.at (madness.at [217.196.146.217])
	by postgresql.org (Postfix) with ESMTP id 82B129FA440
	for <pgsql-www@postgresql.org>; Mon,  5 Feb 2007 16:00:04 -0400 (AST)
Received: from mastermind.kaltenbrunner.cc ([83.215.233.60])
	by cronos.madness.at with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.62 (FreeBSD)) (envelope-from <stefan@kaltenbrunner.cc>)
	id 1HEA0G-000ORA-Ef; Mon, 05 Feb 2007 21:00:03 +0100
Message-ID: <45C78CB7.9090403@kaltenbrunner.cc>
Date: Mon, 05 Feb 2007 20:59:51 +0100
From: Stefan Kaltenbrunner <stefan@kaltenbrunner.cc>
User-Agent: Icedove 1.5.0.9 (X11/20061220)
MIME-Version: 1.0
To: Josh Berkus <josh@agliodbs.com>
CC: pgsql-www@postgresql.org
Subject: Re: How to coordinate web team for security releases?
References: <200702051128.13819.josh@agliodbs.com>
	<45C789B3.1010304@kaltenbrunner.cc>
	<200702051151.30474.josh@agliodbs.com>
In-Reply-To: <200702051151.30474.josh@agliodbs.com>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Archive-Number: 200702/28
X-Sequence-Number: 11433

Josh Berkus wrote:
> Stefan,
> 
>> well not that is closely related to the -www issue but the fix/patch
>> will end up on anoncvs/viewcvs days before the release too (and will get
>> published including the Security: tag and the commit message there and
>> distributed to the buildfarm boxes at least).
>> So to keep it really under the hood would probably be quite difficult to
>> do.
> 
> Actually, we were discussing mechanisms to change that on -core.  Suggestions 
> are welcome.  Mostly we just want to keep a tight lid on security expoloit 
> information until the day of release.

yeah I understand the reasoning - but given the rather distributed
nature of the postgresql infrastructure I guess it might be very
difficult if not impossible to get down to less then 72 or 48 hours.
One needs that time to commit the patch and probably wait for at least
one round of buildfarm results, tag all the affected branches and build
the tarballs and finally all the packagers need to build at least the
most important binary packages.

Stefan