recent security activity
does the recent security activity, including several reported exploits
and patches, as well as the mention of creation of an audit team merit
the creation of a new pgsql-security list?
as someone working with a paranoid sysadmin, i'd find it to be of use...
any thoughts? would there be sufficient traffic? maybe the list would
actually _help_ generate traffic?
-tfo
I think that's an excellent idea. It would allow people to subscribe to
what would seemingly be a low volume mailing list and still be alerted
to possible issues they should be aware of.
Sign,
Greg Copeland
Show quoted text
On Thu, 2002-08-22 at 11:05, Thomas O'Connell wrote:
does the recent security activity, including several reported exploits
and patches, as well as the mention of creation of an audit team merit
the creation of a new pgsql-security list?as someone working with a paranoid sysadmin, i'd find it to be of use...
any thoughts? would there be sufficient traffic? maybe the list would
actually _help_ generate traffic?-tfo
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
Greg Copeland <greg@CopelandConsulting.Net> writes:
I think that's an excellent idea. It would allow people to subscribe to
what would seemingly be a low volume mailing list and still be alerted
to possible issues they should be aware of.
Would the purpose of the list be for publicizing vulnerabilities and
patches, or for the discussion of potential security problems, code
auditing, and related development activity?
If the former, I think pgsql-announce is adequate for that purpose. If
the latter, I'd rather see that kind of discussion on -hackers, so
that other developers are aware of what's going on.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Neil Conway <neilc@samurai.com> writes:
Would the purpose of the list be for publicizing vulnerabilities and
patches, or for the discussion of potential security problems, code
auditing, and related development activity?
If the former, I think pgsql-announce is adequate for that purpose. If
the latter, I'd rather see that kind of discussion on -hackers, so
that other developers are aware of what's going on.
Also worth noting in this connection: if someone wants to report a
security issue to the developers *without* publicizing it (as used to
be considered good form), you can send to the pgsql-core mailing list.
This goes to just the core committee members and is not archived anywhere
public.
I tend to agree with Neil that a separate -security list isn't needed,
but will not stand in the way if there's sufficient interest.
regards, tom lane
I assumed it would be for patches and security alerts with followups as
needed.
I can see where use of announce can serve this purpose, however, if
someone is solely interested in the security advisory aspects, they may
not care about the announcement-of-the-day.
Just food for thought. I can see why you wouldn't want another
list..otoh, I can see where someone may not want to monitor announce for
the sole purpose of watching for security advisories and patches.
Perhaps the use of "[SECURITY]" in the subject, or some such item, would
better address the issue and simply continue to use announce? That way,
MUA filters can easily be used to find and highlight items of interest.
Greg
Show quoted text
On Thu, 2002-08-22 at 17:48, Neil Conway wrote:
Greg Copeland <greg@CopelandConsulting.Net> writes:
I think that's an excellent idea. It would allow people to subscribe to
what would seemingly be a low volume mailing list and still be alerted
to possible issues they should be aware of.Would the purpose of the list be for publicizing vulnerabilities and
patches, or for the discussion of potential security problems, code
auditing, and related development activity?If the former, I think pgsql-announce is adequate for that purpose. If
the latter, I'd rather see that kind of discussion on -hackers, so
that other developers are aware of what's going on.