Devrim GUNDUZ <devrim@CommandPrompt.com> writes:
> * Upload the new tarballs to a private area (instead of public FTP site)
> so that only packagers and other related people can download them to
> build the packages, etc.
We're not going to be able to make things really water-tight unless we
are willing to close off CVS somehow; which is not an idea I favor.
So I'm not particularly concerned about hiding tarballs --- especially
since that's not something we'd do in a normal, non-security release
cycle. As I said before, keeping it off the mailing lists is probably
sufficient, and in any case has to be our first goal before we start
worrying about any more-invasive procedural changes.
regards, tom lane