Re: How to coordinate web team for security releases?

Tom Lane wrote:
>
> I see the leakage points in this case as being
>
> * Dave (and Devrim too) making commits that made it obvious something
> was afoot. They could and should have used the Security: filter that
> Marc set up to cause those messages to be held for moderator approval.

The pgInstaller CVS for sure - but that wouldn't have worked for the SVN
repo the docs are in. The messages from there go to pgadmin-hackers, so
I'm not quite so keen to keyword filter there unless the regexp is a
little more precise.

Marc; a commit message there might look like (without the lines):

=================================================================
Author: dpage

Date: 2007-02-05 20:28:43 +0000 (Mon, 05 Feb 2007)

New Revision: 5906

Revision summary:
http://svn.pgadmin.org/cgi-bin/viewcvs.cgi/?rev=5906&view=rev

Log:
Add a guru hint to warn the user of the consequences of storing
passwords, per Tony Caduto.
=================================================================

Can you hold messages to pgdmin-hackers with say:
"view=rev\n\nLog:\nSecurity: " ?

> * Josh using pgsql-www to notify the web team. I had had the idea that
> pgsql-www was supposed to be closed-subscription, so I didn't think
> anything of it at the time, but that's evidently wrong. Fixing that
> leak is the point of this discussion.

No, we got lots of flack over it being closed so eventually gave up and
made it 'by approval' and then completely open.

-packagers will work though - can we get David Fetter subscribed, and my
own address approved if it still hasn't been. On a related I'm also not
sure if Hiroshi Saito (z-saito(at)guitar(dot)ocn(dot)ne(dot)jp) is subscribed (he
packages win32-ja) - if not, can we sort that at the same time please?

Regards, Dave.