Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qqC73-008WlE-B8 for pgsql-www@arkaria.postgresql.org; Tue, 10 Oct 2023 12:45:25 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qqC70-007ktw-AQ for pgsql-www@arkaria.postgresql.org; Tue, 10 Oct 2023 12:45:23 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qqC70-007kto-04 for pgsql-www@lists.postgresql.org; Tue, 10 Oct 2023 12:45:23 +0000 Received: from mail-lf1-x143.google.com ([2a00:1450:4864:20::143]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qqC6t-001HwO-Gs for pgsql-www@lists.postgresql.org; Tue, 10 Oct 2023 12:45:22 +0000 Received: by mail-lf1-x143.google.com with SMTP id 2adb3069b0e04-5041335fb9cso7153442e87.0 for ; Tue, 10 Oct 2023 05:45:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696941913; x=1697546713; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CWVLCyLzlLBZYeaMe/6n6nhrQGtX+SdriLtVSyfmjzA=; b=QZ9Ju2DjlWc06gaO6irlvA/5hDDNFgReUKC/adiZygZwZzfEv7Rqv2NJbkjJuznLaI G2zOkr8/EOCoMLOe0eVny8ycRGMjB+lbCfqDgEbsTOvqhH6ITBG+u9pS9dMfg3jVPBAD ehZTR9cDIMz67y6qiEw4qPU3zK+xwlAD/R5bM2DajtI0YH8UDUevkldoX3DAPJusvGXq ZngZiY1DWyUHuHf34iF1t+3a3MR9yRNeySibluVShv/i4O6k3S6MYwLpHH3oxffNCfar Ht5aix6kHe2d06e5q+PM04ew2pZmAWDS4yKuVslBh+VWetqkQwME48H37QW7vLixc+L2 1GDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696941913; x=1697546713; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CWVLCyLzlLBZYeaMe/6n6nhrQGtX+SdriLtVSyfmjzA=; b=A+GdTApGmIV5D+E5y8VzCfNpOKfUAjA/ibq+UZt/eK8frqV93Tn/Lo0uWHBMbRv5ck focYQt4pbA/ZKpzi4XIZg6/QTEfcP0BdOjG0BnmpOabdGKso4+Uf32/MI80WtBXsllMh 2ZzsjIIc8a+BrqdIl0ka1MbOp9rTxuBGTwrQ7BEPfhRlBpX8qBnb9iCOQb8sDbrsQr8O KWjF2yYbyV/hTQOAnEkeKdyc5jMhbau7aBSvCNAO7zxBUdkOiG1/ijuFVhfpm8iIF/2N 9qLiLZZ2uRS4q+AKcrVhmAzsLaZb4YzNeQ1Ut+soak/2UQJtMiCsjbGKoos8kKIjAeU8 m0/w== X-Gm-Message-State: AOJu0YwtTF5a9ZYaG7Wcrb23glIqFkSKtSWEGeraKaE9wJRe4TIsbEvf 4I83rIRT+zVS0RtHj/l8FhnTjCHHr4xEyg5u1vjnPwdwlVdvRfe9 X-Google-Smtp-Source: AGHT+IHs7XKa63+I+CbQexwvn4vuyUDVO/rgRqnuJi9I6DLvHe2f6CvMt1ZPyGS60O61qKiKF/QP1TrUzV69qbT+GJQ= X-Received: by 2002:a05:6512:2017:b0:503:19bc:efb with SMTP id a23-20020a056512201700b0050319bc0efbmr14372531lfb.29.1696941912211; Tue, 10 Oct 2023 05:45:12 -0700 (PDT) MIME-Version: 1.0 References: <7F99AF5A-8D5D-47A3-B238-4E34004C3DFE@yesql.se> <433F3C16-B91E-45D1-8C5A-E1AAEAA2541C@yesql.se> In-Reply-To: From: Akshat Jaimini Date: Tue, 10 Oct 2023 18:15:00 +0530 Message-ID: Subject: Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list. To: Daniel Gustafsson Cc: pgsql-www@lists.postgresql.org, Magnus Hagander Content-Type: multipart/alternative; boundary="000000000000e1c43806075c135c" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000e1c43806075c135c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > Security teams and security processes generally operate behind closed doors, to avoid leaking vulnerabilities before they can be patched, and then publish their work and findings once there is a remedy. Ok! So we can then proceed with a private repository maybe? We can fork the CI setup from the current testing harness and just add the respective security tests. The generated report can then be accessed by the security team/any concerned individuals in the deployment team. I'd be happy to host this repo if needed for now. > Thanks, that was a bit hidden Yup this is one of my main concerns with only relying on github actions also there are multiple runs for the monitoring cron job as well so these test runs usually get lost in the list. As a temporary solution I had added the github action run url in the email being sent and the reports attached with that email. I have started working on the website to view these reports, will be sharing the development prototype url shortly. Regards, Akshat Jaimini On Mon, Oct 9, 2023 at 6:12=E2=80=AFPM Daniel Gustafsson = wrote: > > On 6 Oct 2023, at 19:12, Akshat Jaimini wrote: > > > > > You can find the reports here: > https://github.com/destrex271/pgweb-testing-harness/actions/runs/61892991= 24 > < > https://github.com/destrex271/pgweb-testing-harness/actions/runs/61892991= 24> > . You can check the 'report', 'test-log' and 'failure_logs' artifacts, th= e > other ones are experimental for now. > > Thanks, that was a bit hidden (which is a Github UI issue and not somethi= ng > against this work). > > > I'll try to find more approaches to this because the private repository > does not seem to go with the idea of open source. I might be wrong about > this, so please let me know if I am wrong. > > Just because a project is open source doesn't mean that everything about = it > needs to be done in public. Security teams and security processes > generally > operate behind closed doors, to avoid leaking vulnerabilities before they > can > be patched, and then publish their work and findings once there is a reme= dy > (either as an advisory with a CVE or some other form). > > -- > Daniel Gustafsson > > --000000000000e1c43806075c135c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> Security teams and security processes generally= operate behind closed doors, to avoid leaking vulnerabilities before they = can be patched, and then publish their work and findings once there is a re= medy.

Ok! So we can then proceed with a private re= pository maybe? We can fork the CI setup from the current testing harness a= nd just add the respective security tests. The generated report can then be= accessed by the security team/any concerned individuals in the deployment = team. I'd be happy to host this repo if needed for now.
<= br>
> Thanks, that was a bit hidden

<= div>Yup this is one of my main concerns with only relying on github actions= also there are multiple runs for the monitoring cron job as well so these = test runs usually get lost in the list. As a temporary solution I had added= the github action run url in the email being sent and the reports attached= with that email.

I have started working on the w= ebsite to view these reports, will be sharing the development prototype url= shortly.
=C2=A0
Regards,
Akshat Jaimini
<= /div>

On Mon, Oct 9, 2023 at 6:12=E2=80=AFPM Daniel Gustafsson <daniel@yesql.se> wrote:
> On 6 Oct 2023, at 19:12, Ak= shat Jaimini <= destrex271@gmail.com> wrote:

>
> You can find the reports here: https://github.com/destrex271/pgweb-testing-harness/actions/run= s/6189299124 <http= s://github.com/destrex271/pgweb-testing-harness/actions/runs/6189299124= > . You can check the 'report', 'test-log' and 'fail= ure_logs' artifacts, the other ones are experimental for now.

Thanks, that was a bit hidden (which is a Github UI issue and not something=
against this work).

> I'll try to find more approaches to this because the private repos= itory does not seem to go with the idea of open source. I might be wrong ab= out this, so please let me know if I am wrong.

Just because a project is open source doesn't mean that everything abou= t it
needs to be done in public.=C2=A0 Security teams and security processes gen= erally
operate behind closed doors, to avoid leaking vulnerabilities before they c= an
be patched, and then publish their work and findings once there is a remedy=
(either as an advisory with a CVE or some other form).

--
Daniel Gustafsson

--000000000000e1c43806075c135c--