Received: from localhost (maia-2.hub.org [200.46.204.187]) by postgresql.org (Postfix) with ESMTP id EFFEA9FB304 for ; Mon, 5 Feb 2007 17:58:37 -0400 (AST) Received: from postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.204.187]) (amavisd-new, port 10024) with ESMTP id 29497-07 for ; Mon, 5 Feb 2007 17:58:29 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey-1.7.4 Received: from developer.pgadmin.org (developer.pgadmin.org [63.246.23.140]) by postgresql.org (Postfix) with ESMTP id 76BA29FA2A1 for ; Mon, 5 Feb 2007 17:58:32 -0400 (AST) Received: from [172.16.0.68] ([84.13.224.116]) (authenticated bits=0) by developer.pgadmin.org (8.13.8/8.13.8) with ESMTP id l15LZGNP016671 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Feb 2007 21:35:17 GMT Message-ID: <45C7A881.10303@postgresql.org> Date: Mon, 05 Feb 2007 21:58:25 +0000 From: Dave Page User-Agent: Thunderbird 1.5.0.9 (Macintosh/20061207) MIME-Version: 1.0 To: Tom Lane CC: David Fetter , Josh Berkus , pgsql-www@postgresql.org, "Marc G. Fournier" Subject: Re: How to coordinate web team for security releases? References: <200702051128.13819.josh@agliodbs.com> <20070205210315.GA7988@fetter.org> <20476.1170711517@sss.pgh.pa.us> In-Reply-To: <20476.1170711517@sss.pgh.pa.us> X-Enigmail-Version: 0.94.1.2 OpenPGP: url=http://www.pgadmin.org/pgp/davepage.pgp Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: Maia Mailguard 1.0.1 X-Archive-Number: 200702/55 X-Sequence-Number: 11460 Tom Lane wrote: > > I see the leakage points in this case as being > > * Dave (and Devrim too) making commits that made it obvious something > was afoot. They could and should have used the Security: filter that > Marc set up to cause those messages to be held for moderator approval. The pgInstaller CVS for sure - but that wouldn't have worked for the SVN repo the docs are in. The messages from there go to pgadmin-hackers, so I'm not quite so keen to keyword filter there unless the regexp is a little more precise. Marc; a commit message there might look like (without the lines): ================================================================= Author: dpage Date: 2007-02-05 20:28:43 +0000 (Mon, 05 Feb 2007) New Revision: 5906 Revision summary: http://svn.pgadmin.org/cgi-bin/viewcvs.cgi/?rev=5906&view=rev Log: Add a guru hint to warn the user of the consequences of storing passwords, per Tony Caduto. ================================================================= Can you hold messages to pgdmin-hackers with say: "view=rev\n\nLog:\nSecurity: " ? > * Josh using pgsql-www to notify the web team. I had had the idea that > pgsql-www was supposed to be closed-subscription, so I didn't think > anything of it at the time, but that's evidently wrong. Fixing that > leak is the point of this discussion. No, we got lots of flack over it being closed so eventually gave up and made it 'by approval' and then completely open. -packagers will work though - can we get David Fetter subscribed, and my own address approved if it still hasn't been. On a related I'm also not sure if Hiroshi Saito (z-saito@guitar.ocn.ne.jp) is subscribed (he packages win32-ja) - if not, can we sort that at the same time please? Regards, Dave.