Обсуждение: recent security activity
does the recent security activity, including several reported exploits and patches, as well as the mention of creation of an audit team merit the creation of a new pgsql-security list? as someone working with a paranoid sysadmin, i'd find it to be of use... any thoughts? would there be sufficient traffic? maybe the list would actually _help_ generate traffic? -tfo
I think that's an excellent idea. It would allow people to subscribe to what would seemingly be a low volume mailing list and still be alerted to possible issues they should be aware of. Sign, Greg Copeland On Thu, 2002-08-22 at 11:05, Thomas O'Connell wrote: > does the recent security activity, including several reported exploits > and patches, as well as the mention of creation of an audit team merit > the creation of a new pgsql-security list? > > as someone working with a paranoid sysadmin, i'd find it to be of use... > > any thoughts? would there be sufficient traffic? maybe the list would > actually _help_ generate traffic? > > -tfo > > ---------------------------(end of broadcast)--------------------------- > TIP 6: Have you searched our list archives? > > http://archives.postgresql.org
Greg Copeland <greg@CopelandConsulting.Net> writes: > I think that's an excellent idea. It would allow people to subscribe to > what would seemingly be a low volume mailing list and still be alerted > to possible issues they should be aware of. Would the purpose of the list be for publicizing vulnerabilities and patches, or for the discussion of potential security problems, code auditing, and related development activity? If the former, I think pgsql-announce is adequate for that purpose. If the latter, I'd rather see that kind of discussion on -hackers, so that other developers are aware of what's going on. Cheers, Neil -- Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Neil Conway <neilc@samurai.com> writes:
> Would the purpose of the list be for publicizing vulnerabilities and
> patches, or for the discussion of potential security problems, code
> auditing, and related development activity?
> If the former, I think pgsql-announce is adequate for that purpose. If
> the latter, I'd rather see that kind of discussion on -hackers, so
> that other developers are aware of what's going on.
Also worth noting in this connection: if someone wants to report a
security issue to the developers *without* publicizing it (as used to
be considered good form), you can send to the pgsql-core mailing list.
This goes to just the core committee members and is not archived anywhere
public.
I tend to agree with Neil that a separate -security list isn't needed,
but will not stand in the way if there's sufficient interest.
regards, tom lane
I assumed it would be for patches and security alerts with followups as needed. I can see where use of announce can serve this purpose, however, if someone is solely interested in the security advisory aspects, they may not care about the announcement-of-the-day. Just food for thought. I can see why you wouldn't want another list..otoh, I can see where someone may not want to monitor announce for the sole purpose of watching for security advisories and patches. Perhaps the use of "[SECURITY]" in the subject, or some such item, would better address the issue and simply continue to use announce? That way, MUA filters can easily be used to find and highlight items of interest. Greg On Thu, 2002-08-22 at 17:48, Neil Conway wrote: > Greg Copeland <greg@CopelandConsulting.Net> writes: > > I think that's an excellent idea. It would allow people to subscribe to > > what would seemingly be a low volume mailing list and still be alerted > > to possible issues they should be aware of. > > Would the purpose of the list be for publicizing vulnerabilities and > patches, or for the discussion of potential security problems, code > auditing, and related development activity? > > If the former, I think pgsql-announce is adequate for that purpose. If > the latter, I'd rather see that kind of discussion on -hackers, so > that other developers are aware of what's going on. >