Re: How to coordinate web team for security releases?

David Fetter <david(at)fetter(dot)org> writes:
> I think we need to separate this into two issues:

> 1. Publishing vulnerabilities only after we've distributed the fix, and

> 2. Publishing the fact that a minor point release is on its way in
> order that organizations be able to schedule upgrades.

We already have a solution to #2, which is to say the private
pgsql-packagers mail list.

Usually, we also let pgsql-hackers know of a planned release cycle, but
since this one was so soon after the last one, it would've been pretty
obvious that a security issue was driving it.

I see the leakage points in this case as being

* Dave (and Devrim too) making commits that made it obvious something
was afoot. They could and should have used the Security: filter that
Marc set up to cause those messages to be held for moderator approval.

* Josh using pgsql-www to notify the web team. I had had the idea that
pgsql-www was supposed to be closed-subscription, so I didn't think
anything of it at the time, but that's evidently wrong. Fixing that
leak is the point of this discussion.

Note that we did all right in terms of not leaking the details of the
problems; it was just the fact of a pending release that got out.
So for a first try in this direction it wasn't bad. But let's try to
improve matters for next time...

regards, tom lane