Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qodxh-002HLd-Et for pgsql-www@arkaria.postgresql.org; Fri, 06 Oct 2023 06:05:21 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qodxd-003Fox-0l for pgsql-www@arkaria.postgresql.org; Fri, 06 Oct 2023 06:05:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qodxc-003Fop-NG for pgsql-www@lists.postgresql.org; Fri, 06 Oct 2023 06:05:17 +0000 Received: from mail-lf1-x144.google.com ([2a00:1450:4864:20::144]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qodxa-000MMD-Jd for pgsql-www@lists.postgresql.org; Fri, 06 Oct 2023 06:05:17 +0000 Received: by mail-lf1-x144.google.com with SMTP id 2adb3069b0e04-5031ccf004cso2167754e87.2 for ; Thu, 05 Oct 2023 23:05:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696572313; x=1697177113; darn=lists.postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=IJnQd7PdgqkdrEYhg0zqDKXeE+S+/GizslUtrYVeQBM=; b=FVVjpBlpl/SE13veT6P3jlHvhCoNdLb4263zIzpg1oNdDonE1orRz43SZmcAG9csrM ZRso7NALDSoCnGplEuQTuMcNDnJKqHgLn15crZ9dOSik5fXICc9K555pGkjwSgZ/f5mk eC3bRA3HGGUMD7T6gTRo1UGsOqGORRaMLvSIyqWGcCj6NHvSS7emojQDuZvrfNKHAjC4 ftRdwaIj0J/46WlVY1lepPnm75psc8rKnoY4m7ifdjBp6ppmHKFrXnbmsbgGLQQrXAHI oFWjVdNEM//fxSMbUQWXOk/wBfZLa5+ufv6t1j3k5X6Jo+fXem54sqIgNCdpxyIuPooM KwKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696572313; x=1697177113; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IJnQd7PdgqkdrEYhg0zqDKXeE+S+/GizslUtrYVeQBM=; b=cwJ9vJAozqp8nb1KlhFpNafvfpdJ8sDdKCiRc5h5SG3n78zpuuSMliCo0wXp8iFSI6 0m+/PQaorrTALZiVicAtQJxvW+U+8Vw+9bowwqjOZWMkwNqneQsp5jOxrplLrZb4e6hN 6y+gWwb3GnzVChsMq0ikJtVww+hUiA76KqxTgtz0Gsgpb+Ul0mx3iGcvLV4o/gNeoUoN 0QENPRYSTro54rieIdAKj0lT9YJlHiHHL/kcYLzP6s7Jyloi+xUvDL5TdrdLcquLpjP0 Ff6KwIrTm18lVqCQtq90GY/ITq1yYukGwnwSTc+MEcUeG6EmdeUfIhGPHi9S6lvPcv9q H1NQ== X-Gm-Message-State: AOJu0YxWVNLq3UDVw/aQs1yCzmOXAsPECbClgQegwF2gIy3cCA7CcAsG BhSiDOga3WNXHe8SYPLF61Gj52+lRbg9A9FxPP8= X-Google-Smtp-Source: AGHT+IFUUQmOGPruB/8Xq+PlqpJeZqjTJs8EgxmyS/YqileY8qgVeaFsecH6hUBvZtMSVYTb7KtfqpP06ltDYyWeGoo= X-Received: by 2002:a05:6512:34c8:b0:503:3913:c2c9 with SMTP id w8-20020a05651234c800b005033913c2c9mr5626089lfr.40.1696572312935; Thu, 05 Oct 2023 23:05:12 -0700 (PDT) MIME-Version: 1.0 References: <7F99AF5A-8D5D-47A3-B238-4E34004C3DFE@yesql.se> In-Reply-To: <7F99AF5A-8D5D-47A3-B238-4E34004C3DFE@yesql.se> From: Akshat Jaimini Date: Fri, 6 Oct 2023 11:35:01 +0530 Message-ID: Subject: Re: Permission to allow testing harness to send error reports for pgweb directly to mailing list. To: Daniel Gustafsson , pgsql-www@lists.postgresql.org, Magnus Hagander Content-Type: multipart/alternative; boundary="0000000000000c64610607060601" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000000c64610607060601 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > Publishing this report to a website would handle that I think. I had sent a proposal/tried to start a discussion for this a few days earlier : https://www.postgresql.org/message-id/CAMaW3Vg%2BGoQ3JPNo%2BfbLk9ajQv%3D4g4= J-bzSAH0OJL7S71_qMig%40mail.gmail.com It would actually make the reporting mechanism a lot easier if we can publish the results to a website. I am currently working on a small prototype in golang. Currently the reports are being stored as artifacts on Github actions(only available for 90 days) but we can use services like Supabase etc to store our reports and present them on the website. Once we integrate supabase we can get rid of Github artifacts for good. > One question, would this test harness detect and report potential security issues like XSS? Security related tests were not added in the Gsoc timeline but we are planning to add them. Maybe when we add those tests we can create a separate section on the proposed website only available to some 'admins' with all these sensitive reports being displayed there. We can actually benefit with some more discussion on this. Regards, Akshat Jaimini On Thu, Oct 5, 2023 at 8:32=E2=80=AFPM Daniel Gustafsson = wrote: > > On 3 Oct 2023, at 21:30, Akshat Jaimini wrote: > > > > That is, if it finds the same issue on a later run, it must not > re-send the same thing. How does it work in regards to that today? > > > > As per the current flow whenever a new commit is pushed to the pgweb > repo, the tests are executed. If some tests fail, an error report is sent > with the information of all the failed tests. So if that particular issue > has been resolved, the same report won't be sent but if some other commit > is pushed without resolving that particular issue then that particular > error will be reported again. > > That doesn't seem terribly great, while bugs and errors should be fixed > when > found, sending reports of them repeatedly risk reporting-fatigue. > Publishing > this report to a website would handle that I think. > > One question, would this test harness detect and report potential securit= y > issues like XSS? If so we should probably limit the audience of the > report.. > > > -- > Daniel Gustafsson > > --0000000000000c64610607060601 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> Publishing this report to a website would handle= that I think.
I had sent a proposal/tried to start a discussion = for this a few days earlier : https://www.postgresql.org/message-id/CAMaW3Vg%2BGoQ3JPNo%2BfbLk9ajQv%= 3D4g4J-bzSAH0OJL7S71_qMig%40mail.gmail.com
It would actu= ally make the reporting mechanism a lot easier if we can publish the result= s to a website. I am currently working on a small prototype in golang. Curr= ently the reports are being stored as artifacts on Github actions(only avai= lable for 90 days) but we can use services like Supabase etc to store our r= eports and present them on the website. Once we integrate supabase we can g= et rid of Github artifacts for good.

> One = question, would this test harness detect and report potential security issu= es like XSS?
Security related tests were not added in the Gsoc ti= meline but we are planning to add them. Maybe when we add those tests we ca= n create a separate section on the proposed website only available to some = 'admins' with all these sensitive reports being displayed there.

We can actually benefit with some more discussio= n on this.

Regards,
Akshat Jaimini


On Thu, Oct 5, 2023 at 8:32=E2=80=AFPM Daniel Gustafsson= <daniel@yesql.se> wrote:
<= /div>
> On 3 Oct 2023, = at 21:30, Akshat Jaimini <destrex271@gmail.com> wrote:

> > That is, if it finds the same issue on a later run, it must not r= e-send the same thing. How does it work in regards to that today?
>
> As per the current flow whenever a new commit is pushed to the pgweb r= epo, the tests are executed. If some tests fail, an error report is sent wi= th the information of all the failed tests. So if that particular issue has= been resolved, the same report won't be sent but if some other commit = is pushed without resolving that particular issue then that particular erro= r will be reported again.

That doesn't seem terribly great, while bugs and errors should be fixed= when
found, sending reports of them repeatedly risk reporting-fatigue.=C2=A0 Pub= lishing
this report to a website would handle that I think.

One question, would this test harness detect and report potential security<= br> issues like XSS?=C2=A0 If so we should probably limit the audience of the r= eport..


--
Daniel Gustafsson

--0000000000000c64610607060601--