MIME-Version: 1.0
References: 
 <CAMaW3VhRaUvSi_mR+_th7b=LQ3NZ-=Kg_aqTmAQpRXhC9zoDJg@mail.gmail.com>
 <CABUevEyiDjSY3iR6V-3EWqRmpgX490uVoxKWzCFXJUD5NOUvKQ@mail.gmail.com>
 <CAMaW3VgFmQH6Qz_5rE3mmGrSqNXk-0T0z_czufZOnMai2Yo61w@mail.gmail.com>
 <7F99AF5A-8D5D-47A3-B238-4E34004C3DFE@yesql.se>
 <CAMaW3VhQ-tfc6cHx=QxLgDsWHYFccZPz=JOq87frnkaANmPggw@mail.gmail.com>
 <433F3C16-B91E-45D1-8C5A-E1AAEAA2541C@yesql.se>
In-Reply-To: <433F3C16-B91E-45D1-8C5A-E1AAEAA2541C@yesql.se>
From: Akshat Jaimini <destrex271@gmail.com>
Date: Fri, 6 Oct 2023 22:42:28 +0530
Message-ID: 
 <CAMaW3ViOZYfxYMTYVHLOZHhVejSQ-BA0_X8hAmwwAPkxuVVObg@mail.gmail.com>
Subject: Re: Permission to allow testing harness to send error reports for
 pgweb directly to mailing list.
To: Daniel Gustafsson <daniel@yesql.se>, pgsql-www@lists.postgresql.org,
	Magnus Hagander <magnus@hagander.net>
Content-Type: multipart/alternative; boundary="00000000000007a76906070f59ba"
Archived-At: 
 <https://www.postgresql.org/message-id/CAMaW3ViOZYfxYMTYVHLOZHhVejSQ-BA0_X8hAmwwAPkxuVVObg%40mail.gmail.com>
Precedence: bulk

--00000000000007a76906070f59ba
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

> I clicked through the linked repo but I was unable to see an example
testrun.
 You can find the reports here:
https://github.com/destrex271/pgweb-testing-harness/actions/runs/6189299124
. You can check the 'report', 'test-log' and 'failure_logs' artifacts, the
other ones are experimental for now.

> For tests like that we must really think about scope, limiting the report
isn't useful if we publish the tests for anyone to run themselves and thus
generate the report.
> Malicious actors are no doubt probing the website continuously regardless
of this, but we don't necessarily need to do the job for them.

Oh yes, that is a valid point, I guess we might need to separate these
tests then in some private repo? I don't know if this is possible though
but we can think of some other approaches. Because if we keep those tests
publicly available that will just create more problems for us, as you
mentioned in your reply.

I'll try to find more approaches to this because the private repository
does not seem to go with the idea of open source. I might be wrong about
this, so please let me know if I am wrong.

Regards,
Akshat Jaimini

On Fri, Oct 6, 2023 at 6:09=E2=80=AFPM Daniel Gustafsson <daniel@yesql.se> =
wrote:

> > On 6 Oct 2023, at 08:05, Akshat Jaimini <destrex271@gmail.com> wrote:
> >
> > > Publishing this report to a website would handle that I think.
> > I had sent a proposal/tried to start a discussion for this a few days
> earlier
>
> It would probably help if you could link to a report from a run of the te=
st
> suite.  I clicked through the linked repo but I was unable to see an
> example
> testrun.
>
> > > One question, would this test harness detect and report potential
> security issues like XSS?
> > Security related tests were not added in the Gsoc timeline but we are
> planning to add them. Maybe when we add those tests we can create a
> separate section on the proposed website only available to some 'admins'
> with all these sensitive reports being displayed there.
>
> For tests like that we must really think about scope, limiting the report
> isn't
> useful if we publish the tests for anyone to run themselves and thus
> generate
> the report.  Malicious actors are no doubt probing the website continuous=
ly
> regardless of this, but we don't necessarily need to do the job for them.
>
> --
> Daniel Gustafsson

--00000000000007a76906070f59ba
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><span class=3D"gmail-im"><div>&gt; I clic=
ked through the linked repo but I was unable to see an example testrun.=C2=
=A0</div></span><div>=C2=A0You can find the reports here:=C2=A0<a href=3D"h=
ttps://github.com/destrex271/pgweb-testing-harness/actions/runs/6189299124"=
 target=3D"_blank">https://github.com/destrex271/pgweb-testing-harness/acti=
ons/runs/6189299124</a> . You can check the &#39;report&#39;, &#39;test-log=
&#39; and &#39;failure_logs&#39; artifacts, the other ones are experimental=
 for now.</div><span class=3D"gmail-im"><div><br></div><div>&gt;
 For tests like that we must really think about scope, limiting the=20
report isn&#39;t useful if we publish the tests for anyone to run themselve=
s
 and thus generate the report.=C2=A0</div><div>&gt; Malicious actors are no=
=20
doubt probing the website continuously regardless of this, but we don&#39;t=
=20
necessarily need to do the job for them.</div><div><br></div></span><div>Oh
 yes, that is a valid point, I guess we might need to separate these=20
tests then in some private repo? I don&#39;t know if this is possible thoug=
h
 but we can think of some other approaches. Because if we keep those=20
tests publicly available that will just create more problems for us,=C2=A0a=
s=20
you mentioned in your reply.</div><div><br></div><div>I&#39;ll try to find=
=20
more approaches to this because the private repository does not seem to=20
go with the idea of open source. I might be wrong about this, so please=20
let me know if I am wrong.</div><div><br></div><div>Regards,</div><div>Aksh=
at Jaimini</div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr"=
 class=3D"gmail_attr">On Fri, Oct 6, 2023 at 6:09=E2=80=AFPM Daniel Gustafs=
son &lt;<a href=3D"mailto:daniel@yesql.se">daniel@yesql.se</a>&gt; wrote:<b=
r></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left:1px solid rgb(204,204,204);padding-left:1ex">&gt; On 6 Oct 202=
3, at 08:05, Akshat Jaimini &lt;<a href=3D"mailto:destrex271@gmail.com" tar=
get=3D"_blank">destrex271@gmail.com</a>&gt; wrote:<br>
&gt; <br>
&gt; &gt; Publishing this report to a website would handle that I think.<br=
>
&gt; I had sent a proposal/tried to start a discussion for this a few days =
earlier<br>
<br>
It would probably help if you could link to a report from a run of the test=
<br>
suite.=C2=A0 I clicked through the linked repo but I was unable to see an e=
xample<br>
testrun.<br>
<br>
&gt; &gt; One question, would this test harness detect and report potential=
 security issues like XSS?<br>
&gt; Security related tests were not added in the Gsoc timeline but we are =
planning to add them. Maybe when we add those tests we can create a separat=
e section on the proposed website only available to some &#39;admins&#39; w=
ith all these sensitive reports being displayed there.<br>
<br>
For tests like that we must really think about scope, limiting the report i=
sn&#39;t<br>
useful if we publish the tests for anyone to run themselves and thus genera=
te<br>
the report.=C2=A0 Malicious actors are no doubt probing the website continu=
ously<br>
regardless of this, but we don&#39;t necessarily need to do the job for the=
m.<br>
<br>
--<br>
Daniel Gustafsson</blockquote></div>

--00000000000007a76906070f59ba--