Обсуждение: How to coordinate web team for security releases?
WWW core team, I need a way to coordinate with you around preparing postgresql.org for upcoming releases, especially for security releases where it's critical that the timing be tight. Due to some issues with this last release, pgsql-www obviously isn't the right venue. What I need is a non-public list for this, so that I can ask for web site changes 3-4 days ahead without it becoming a news item. I can think of two means: 1) I'm about to create a "contacts" ML for the regional contacts and regionalized website maintainers to give them advanced but non-public notice of upcoming releases in the future. Magnus, Robert, Devrim, etc. could be subscribded to that; in fact, Magnus and Devrim will be as RCs. 2) I could sent it to slaves-to-the-www. 3) Something else. Thoughts? -- Josh Berkus PostgreSQL @ Sun San Francisco
Josh Berkus wrote: > WWW core team, > > I need a way to coordinate with you around preparing postgresql.org for > upcoming releases, especially for security releases where it's critical that > the timing be tight. Due to some issues with this last release, pgsql-www > obviously isn't the right venue. > > What I need is a non-public list for this, so that I can ask for web site > changes 3-4 days ahead without it becoming a news item. > > I can think of two means: > > 1) I'm about to create a "contacts" ML for the regional contacts and > regionalized website maintainers to give them advanced but non-public notice > of upcoming releases in the future. Magnus, Robert, Devrim, etc. could be > subscribded to that; in fact, Magnus and Devrim will be as RCs. > > 2) I could sent it to slaves-to-the-www. > > 3) Something else. > > Thoughts? -packagers? /D
Josh Berkus wrote: > WWW core team, > > I need a way to coordinate with you around preparing postgresql.org for > upcoming releases, especially for security releases where it's critical that > the timing be tight. Due to some issues with this last release, pgsql-www > obviously isn't the right venue. > > What I need is a non-public list for this, so that I can ask for web site > changes 3-4 days ahead without it becoming a news item. well not that is closely related to the -www issue but the fix/patch will end up on anoncvs/viewcvs days before the release too (and will get published including the Security: tag and the commit message there and distributed to the buildfarm boxes at least). So to keep it really under the hood would probably be quite difficult to do. Stefan
Stefan, > well not that is closely related to the -www issue but the fix/patch > will end up on anoncvs/viewcvs days before the release too (and will get > published including the Security: tag and the commit message there and > distributed to the buildfarm boxes at least). > So to keep it really under the hood would probably be quite difficult to > do. Actually, we were discussing mechanisms to change that on -core. Suggestions are welcome. Mostly we just want to keep a tight lid on security expoloit information until the day of release. -- Josh Berkus PostgreSQL @ Sun San Francisco
Josh Berkus wrote: > WWW core team, > > I need a way to coordinate with you around preparing postgresql.org for > upcoming releases, especially for security releases where it's critical that > the timing be tight. Due to some issues with this last release, pgsql-www > obviously isn't the right venue. > > What I need is a non-public list for this, so that I can ask for web site > changes 3-4 days ahead without it becoming a news item. Will that really help? In this case, the files were uploaded to the ftp site long before you made your post to the -www list... Does it really make a difference? //Magnus
Josh Berkus wrote: > Stefan, > >> well not that is closely related to the -www issue but the fix/patch >> will end up on anoncvs/viewcvs days before the release too (and will get >> published including the Security: tag and the commit message there and >> distributed to the buildfarm boxes at least). >> So to keep it really under the hood would probably be quite difficult to >> do. > > Actually, we were discussing mechanisms to change that on -core. Suggestions > are welcome. Mostly we just want to keep a tight lid on security expoloit > information until the day of release. yeah I understand the reasoning - but given the rather distributed nature of the postgresql infrastructure I guess it might be very difficult if not impossible to get down to less then 72 or 48 hours. One needs that time to commit the patch and probably wait for at least one round of buildfarm results, tag all the affected branches and build the tarballs and finally all the packagers need to build at least the most important binary packages. Stefan
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > What I need is a non-public list for this, so that I can ask for web site > changes 3-4 days ahead without it becoming a news item. I think Dave's idea of -packagers works fine, there should be enough overlap. What we also need is a better way to update the mirrors in a timely manner. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200702051500 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFFx4z6vJuQZxSWSsgRA87yAKCjB1nUqegLjvxGoRChDWPZ9RwIjwCgnYrP 9WXDio7T+nT+/Q7ODXTMKMQ= =mKwW -----END PGP SIGNATURE-----
Greg Sabino Mullane wrote: > >> What I need is a non-public list for this, so that I can ask for web site >> changes 3-4 days ahead without it becoming a news item. > > I think Dave's idea of -packagers works fine, there should be enough overlap. > > What we also need is a better way to update the mirrors in a timely manner. the fact that new releases are coming up also got announced on IRC over three days ago and we have >300 people there ... Stefan
Stefan Kaltenbrunner wrote: > Greg Sabino Mullane wrote: >>> What I need is a non-public list for this, so that I can ask for web site >>> changes 3-4 days ahead without it becoming a news item. >> I think Dave's idea of -packagers works fine, there should be enough overlap. >> >> What we also need is a better way to update the mirrors in a timely manner. > > the fact that new releases are coming up also got announced on IRC over > three days ago and we have >300 people there ... Where did that come from? Regards, Dave.
Greg Sabino Mullane wrote: > >> What I need is a non-public list for this, so that I can ask for web site >> changes 3-4 days ahead without it becoming a news item. > > I think Dave's idea of -packagers works fine, there should be enough overlap. > > What we also need is a better way to update the mirrors in a timely manner. I don't see how we can do that unless we persuade all the mirrors to update more than once per day, which I doubt the larger ones will do. I guess we could consider reducing the max age of a mirror when we generate the selection pages - but that will mean mirrors will be enabled and disabled at different parts of the day for a few hours at a time. /D
Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes:
> So to keep it really under the hood would probably be quite difficult to do.
Certainly.  We're not looking for something absolutely bulletproof, we
just don't want to read about it on pgsql-announce before the actual
release ;-).  Postgres isn't the sort of target that is likely to have
blackhats tracking our anoncvs watching for interesting commits.  We
think it's probably enough if we can keep the topic out of the public
mailing lists until the release announcement.  Or at least, let's try
to accomplish that before worrying about anything tighter.
(Speaking of which, somebody can go ahead and approve those Security:
pgsql-commit messages now ...)
        regards, tom lane
			
		Dave Page wrote: > Greg Sabino Mullane wrote: >>> What I need is a non-public list for this, so that I can ask for web site >>> changes 3-4 days ahead without it becoming a news item. >> I think Dave's idea of -packagers works fine, there should be enough overlap. >> >> What we also need is a better way to update the mirrors in a timely manner. > > I don't see how we can do that unless we persuade all the mirrors to > update more than once per day, which I doubt the larger ones will do. > > I guess we could consider reducing the max age of a mirror when we > generate the selection pages - but that will mean mirrors will be > enabled and disabled at different parts of the day for a few hours at a > time. how much traffic are the mirrors handling on average btw ? maybe we do not actually need 70+ or so offical mirrors and reducing that number significantly to the ones that can get updated more often might help a bit. Stefan
Dave Page wrote: > Stefan Kaltenbrunner wrote: >> Greg Sabino Mullane wrote: >>>> What I need is a non-public list for this, so that I can ask for web site >>>> changes 3-4 days ahead without it becoming a news item. >>> I think Dave's idea of -packagers works fine, there should be enough overlap. >>> >>> What we also need is a better way to update the mirrors in a timely manner. >> the fact that new releases are coming up also got announced on IRC over >> three days ago and we have >300 people there ... > > Where did that come from? david fetter according to my irc-client - but I suppose he just guessed that from the fact that you did 3 commits(to pginstaller which is also on the commiters list) on that day mentioning the new versions in the commit message ;-) Stefan
Tom Lane wrote: > Stefan Kaltenbrunner <stefan@kaltenbrunner.cc> writes: >> So to keep it really under the hood would probably be quite difficult to do. > > Certainly. We're not looking for something absolutely bulletproof, we > just don't want to read about it on pgsql-announce before the actual > release ;-). Postgres isn't the sort of target that is likely to have > blackhats tracking our anoncvs watching for interesting commits. We > think it's probably enough if we can keep the topic out of the public > mailing lists until the release announcement. Or at least, let's try > to accomplish that before worrying about anything tighter. That is probably a reasonable approach to the whole issue - and for the anoncvs/buildfarm testing thing(if we want/need that even for such patches) we could maybe look into the recent discussion on allowing certain patches to be pulled from trusted people. Maybe one could use that infrastructure to get basic buildfarm testing without the need to commit to to the main public tree immediatly. However the time gained from that might not be worth the pain ... Stefan
Stefan Kaltenbrunner wrote: > Dave Page wrote: >> Greg Sabino Mullane wrote: >>>> What I need is a non-public list for this, so that I can ask for web site >>>> changes 3-4 days ahead without it becoming a news item. >>> I think Dave's idea of -packagers works fine, there should be enough overlap. >>> >>> What we also need is a better way to update the mirrors in a timely manner. >> I don't see how we can do that unless we persuade all the mirrors to >> update more than once per day, which I doubt the larger ones will do. >> >> I guess we could consider reducing the max age of a mirror when we >> generate the selection pages - but that will mean mirrors will be >> enabled and disabled at different parts of the day for a few hours at a >> time. > > how much traffic are the mirrors handling on average btw ? maybe we do > not actually need 70+ or so offical mirrors and reducing that number > significantly to the ones that can get updated more often might help a bit. I have no idea. You could probably work out an average by correlating file sizes with downloads logged by the tracker, but that'd take a bit of patience. Regards, Dave.
Stefan Kaltenbrunner wrote: > Dave Page wrote: >> Stefan Kaltenbrunner wrote: >>> Greg Sabino Mullane wrote: >>>>> What I need is a non-public list for this, so that I can ask for web site >>>>> changes 3-4 days ahead without it becoming a news item. >>>> I think Dave's idea of -packagers works fine, there should be enough overlap. >>>> >>>> What we also need is a better way to update the mirrors in a timely manner. >>> the fact that new releases are coming up also got announced on IRC over >>> three days ago and we have >300 people there ... >> Where did that come from? > > david fetter according to my irc-client - but I suppose he just guessed > that from the fact that you did 3 commits(to pginstaller which is also > on the commiters list) on that day mentioning the new versions in the > commit message ;-) Yeah, I realised that after I'd done it. They also hit the pgAdmin SVN repo because thats where the CHM docs are built from. :-( /D
On Mon, Feb 05, 2007 at 11:28:13AM -0800, Josh Berkus wrote: > WWW core team, > > I need a way to coordinate with you around preparing postgresql.org > for upcoming releases, especially for security releases where it's > critical that the timing be tight. Due to some issues with this > last release, pgsql-www obviously isn't the right venue. I think we need to separate this into two issues: 1. Publishing vulnerabilities only after we've distributed the fix, and 2. Publishing the fact that a minor point release is on its way in order that organizations be able to schedule upgrades. I see these as separable announcements, with what appear to be opposing motivations. For getting upgrades in the pipeline, sooner is better than later. Quite a few outfits have processes that take two weeks or more before the upgrade actually goes through. Giving them a heads-up on this is a good thing, and serious users know that we don't do minor point releases for the sheer thrills of it, i.e. just knowing that something is coming is enough reason for them to schedule the aforementioned upgrade. For vulns, it's really a Good Idea to let as little about them as possible get out in advance of the fix. It's this part that is sensitive information. So here's my proposal. As soon as we have a pretty good idea of when we are going to do a minor point release, we should let the public know with a generic, "Point releases coming. Get ready to upgrade" kind of message. When we find and characterize vulns, we put out at least the severity on some specific private list--which one is TBD--when known so mirrors, packagers, etc. can make it a priority to make those updates available ASAP. As far as the details of vulns, those should only get published as part of the post-distribution announcement. Cheers, D -- David Fetter <david@fetter.org> http://fetter.org/ phone: +1 415 235 3778 AIM: dfetter666 Skype: davidfetter Remember to vote!
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Dave Page wrote: >> What we also need is a better way to update the mirrors in a timely manner. > I don't see how we can do that unless we persuade all the mirrors to > update more than once per day, which I doubt the larger ones will do. Well, I was thinking more in terms of something in addition to the daily update, such as an hourly (or less) check that would pull in any high-priority changes[1]. Seems that most of the time-sensitive changes we've needed affect a very small subset of the pages and should not be a traffic concern. The good thing about such a system is that we would not even need 100% buy-in right away - the ones not implementing it would still get the daily update. Eventually we'd want to strongly encourage everyone to use it, of course. [1] Indication of a need to pull in changes could be as simple as an atomic number stored in a text file somewhere, or by a list of files and timeststamps, or something else simple yet low traffic. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200702051602 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFFx5ufvJuQZxSWSsgRA4SbAKCDm3AGz4+HNHxLGX/mViiLJ93XywCgxiSA U9pGW39bEZpfOZwVr4EQe0M= =G7T+ -----END PGP SIGNATURE-----
Greg Sabino Mullane wrote: > > Dave Page wrote: >>> What we also need is a better way to update the mirrors in a timely manner. > >> I don't see how we can do that unless we persuade all the mirrors to >> update more than once per day, which I doubt the larger ones will do. > > Well, I was thinking more in terms of something in addition to the daily update, > such as an hourly (or less) check that would pull in any high-priority changes[1]. > Seems that most of the time-sensitive changes we've needed affect a very small > subset of the pages and should not be a traffic concern. The good thing about > such a system is that we would not even need 100% buy-in right away - the ones > not implementing it would still get the daily update. Eventually we'd want to > strongly encourage everyone to use it, of course. A nice idea, but a good number of our mirrors are big mirrors sites who likely won't want to muck around with special configs for each site they mirror. Perhaps we could group the mirrors into 'preferred' and 'normal' sections, where the preferred ones are all on a 2 or 4 hour update. Regards, Dave.
Dave Page wrote: > Greg Sabino Mullane wrote: >> Dave Page wrote: >>>> What we also need is a better way to update the mirrors in a timely manner. >>> I don't see how we can do that unless we persuade all the mirrors to >>> update more than once per day, which I doubt the larger ones will do. >> Well, I was thinking more in terms of something in addition to the daily update, >> such as an hourly (or less) check that would pull in any high-priority changes[1]. >> Seems that most of the time-sensitive changes we've needed affect a very small >> subset of the pages and should not be a traffic concern. The good thing about >> such a system is that we would not even need 100% buy-in right away - the ones >> not implementing it would still get the daily update. Eventually we'd want to >> strongly encourage everyone to use it, of course. > > A nice idea, but a good number of our mirrors are big mirrors sites who > likely won't want to muck around with special configs for each site they > mirror. > > Perhaps we could group the mirrors into 'preferred' and 'normal' > sections, where the preferred ones are all on a 2 or 4 hour update. I think we've discussed this before at some point, and yeah, i think that's a good idea. At least if we can get a couple of the "big boys" in on that update schedule - when we should have enough bw to deal with almost everything, and keep the "smaller local mirrors" for those that have really bad international bandwidth. If we're going to be changing the deal around that, I think we should at the same time require that the "preferred mirrors" also support http downloads. We're seeing a regular trickle of people who can't download because their firewall won't let ftp through. And frankly, most other projects provide *only* http downloads these days ;-) Ftp doesn't really buy you anything when you do single file downloads, and we just link to that anyway. (We'd of course keep the ftp as well, given that things like freebsd ports uses them, if I'm not mistaken) //Magnus
On Mon, 5 Feb 2007, Magnus Hagander wrote: > (We'd of course keep the ftp as well, given that things like freebsd > ports uses them, if I'm not mistaken) > FreeBSD ports can use either...... -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
David Fetter <david@fetter.org> writes:
> I think we need to separate this into two issues:
> 1. Publishing vulnerabilities only after we've distributed the fix, and
> 2. Publishing the fact that a minor point release is on its way in
> order that organizations be able to schedule upgrades.
We already have a solution to #2, which is to say the private
pgsql-packagers mail list.
Usually, we also let pgsql-hackers know of a planned release cycle, but
since this one was so soon after the last one, it would've been pretty
obvious that a security issue was driving it.
I see the leakage points in this case as being
* Dave (and Devrim too) making commits that made it obvious something
was afoot.  They could and should have used the Security: filter that
Marc set up to cause those messages to be held for moderator approval.
* Josh using pgsql-www to notify the web team.  I had had the idea that
pgsql-www was supposed to be closed-subscription, so I didn't think
anything of it at the time, but that's evidently wrong.  Fixing that
leak is the point of this discussion.
Note that we did all right in terms of not leaking the details of the
problems; it was just the fact of a pending release that got out.
So for a first try in this direction it wasn't bad.  But let's try to
improve matters for next time...
        regards, tom lane
			
		Hello, On Mon, 2007-02-05 at 16:38 -0500, Tom Lane wrote: > * Dave (and Devrim too) making commits that made it obvious something > was afoot. They could and should have used the Security: filter that > Marc set up to cause those messages to be held for moderator approval. How? By adding a Security: line before the commit message? Does it also work for pgfoundry commits? > * Josh using pgsql-www to notify the web team. I had had the idea > that pgsql-www was supposed to be closed-subscription, so I didn't > think anything of it at the time, but that's evidently wrong. Fixing > that leak is the point of this discussion. It should be sent to the slaves list I think, as JoshB said in his e-mail. It is closed subscription. Regards, -- Devrim GÜNDÜZ PostgreSQL Replication, Consulting, Custom Development, 24x7 support Managed Services, Shared and Dedicated Hosting Co-Authors: plPHP, ODBCng - http://www.commandprompt.com/
Hello, On Mon, 2007-02-05 at 20:52 +0100, Magnus Hagander wrote: > > What I need is a non-public list for this, so that I can ask for web > > site changes 3-4 days ahead without it becoming a news item. > > Will that really help? In this case, the files were uploaded to the > ftp site long before you made your post to the -www list... Does it > really make a difference? Here is what I have been thinking about this for a while: * As now, an announce to -packagers about the new release. * Upload the new tarballs to a private area (instead of public FTP site) so that only packagers and other related people can download them to build the packages, etc. * Win32 binaries, source tarballs and RPMs will be uploaded to another directory (not to FTP site in developer.postgresql.org) before the release. * After we are done with all of them, (that takes 2 days only), we'll move this directory to FTP site and wait for propagation. Does it look good? -- Devrim GÜNDÜZ PostgreSQL Replication, Consulting, Custom Development, 24x7 support Managed Services, Shared and Dedicated Hosting Co-Authors: plPHP, ODBCng - http://www.commandprompt.com/
Devrim GUNDUZ <devrim@CommandPrompt.com> writes:
> On Mon, 2007-02-05 at 16:38 -0500, Tom Lane wrote:
>> * Dave (and Devrim too) making commits that made it obvious something
>> was afoot.  They could and should have used the Security: filter that
>> Marc set up to cause those messages to be held for moderator approval.
> How?
If there's a line beginning 'Security: ' (note the space, and I think
it's case sensitive) in a pgsql-committers message then it'll get held
for moderator approval.  You'll see some examples as soon as Marc gets
around to releasing my commits from last week.  I thought Marc was going
to notify all the committers about the existence of this mechanism, but
I guess it didn't happen.
> Does it also work for pgfoundry commits?
AFAIK any traffic to pgsql-committers will be handled this way.  If
you've got other outlets for your commit messages then you need to take
it up with them.
> It should be sent to the slaves list I think, as JoshB said in his
> e-mail. It is closed subscription.
I could go with using either slaves or -packagers, though I'd lean to
the former as helping to avoid useless cross-chatter.  I think the
packagers have different concerns as a rule than the webfolk.
        regards, tom lane
			
		On Mon, Feb 05, 2007 at 04:54:29PM -0500, Tom Lane wrote: > I could go with using either slaves or -packagers, though I'd lean to > the former as helping to avoid useless cross-chatter. I think the > packagers have different concerns as a rule than the webfolk. OTOH, reducing the number of addresses to include in these co-ordinations (since packagers presumably need to be alerted too) mightn't be a bad idea. A -- Andrew Sullivan | ajs@crankycanuck.ca A certain description of men are for getting out of debt, yet are against all taxes for raising money to pay it off. --Alexander Hamilton
Hi, On Mon, 2007-02-05 at 16:54 -0500, Tom Lane wrote: > > How? > > If there's a line beginning 'Security: ' (note the space, and I think > it's case sensitive) in a pgsql-committers message then it'll get held > for moderator approval. Thanks for the info. > > Does it also work for pgfoundry commits? > > AFAIK any traffic to pgsql-committers will be handled this way. If > you've got other outlets for your commit messages then you need to > take it up with them. Ok. I can setup mailman so that when it sees such a line, it will hold that message for moderation. Regards, -- Devrim GÜNDÜZ PostgreSQL Replication, Consulting, Custom Development, 24x7 support Managed Services, Shared and Dedicated Hosting Co-Authors: plPHP, ODBCng - http://www.commandprompt.com/
Tom Lane wrote: > > I see the leakage points in this case as being > > * Dave (and Devrim too) making commits that made it obvious something > was afoot. They could and should have used the Security: filter that > Marc set up to cause those messages to be held for moderator approval. The pgInstaller CVS for sure - but that wouldn't have worked for the SVN repo the docs are in. The messages from there go to pgadmin-hackers, so I'm not quite so keen to keyword filter there unless the regexp is a little more precise. Marc; a commit message there might look like (without the lines): ================================================================= Author: dpage Date: 2007-02-05 20:28:43 +0000 (Mon, 05 Feb 2007) New Revision: 5906 Revision summary: http://svn.pgadmin.org/cgi-bin/viewcvs.cgi/?rev=5906&view=rev Log: Add a guru hint to warn the user of the consequences of storing passwords, per Tony Caduto. ================================================================= Can you hold messages to pgdmin-hackers with say: "view=rev\n\nLog:\nSecurity: " ? > * Josh using pgsql-www to notify the web team. I had had the idea that > pgsql-www was supposed to be closed-subscription, so I didn't think > anything of it at the time, but that's evidently wrong. Fixing that > leak is the point of this discussion. No, we got lots of flack over it being closed so eventually gave up and made it 'by approval' and then completely open. -packagers will work though - can we get David Fetter subscribed, and my own address approved if it still hasn't been. On a related I'm also not sure if Hiroshi Saito (z-saito@guitar.ocn.ne.jp) is subscribed (he packages win32-ja) - if not, can we sort that at the same time please? Regards, Dave.
Tom Lane wrote: > I could go with using either slaves or -packagers, though I'd lean to > the former as helping to avoid useless cross-chatter. I think the > packagers have different concerns as a rule than the webfolk. The slaves list is used entirely for cron output and moderation messages. It's not a list to try to discuss things on as I, and I'm sure some of the other members have unusual recipes on stuff going there. Regards, Dave
Andrew, > OTOH, reducing the number of addresses to include in these > co-ordinations (since packagers presumably need to be alerted too) > mightn't be a bad idea. yeah, I'm thinking two (and only two) lists: pgsql-packagers: for actual release building press-contacts: for release FAQ. I know the second adds more people, but I'm realizing that it's important that our Regional Contacts know about the releases before they go out. Otherwise we risk a press person actually calling, say, Nick about a release and having him say "what security issue?" Also, the RCs are a good way to dissemenate important update information to our non-English-language communities. The question is which is more appropriate for the web folks? I'm thinking -packagers, because the web folks need to know when the actual packages will be ready and any delays. -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco
Devrim GUNDUZ <devrim@CommandPrompt.com> writes:
> * Upload the new tarballs to a private area (instead of public FTP site)
> so that only packagers and other related people can download them to
> build the packages, etc.
We're not going to be able to make things really water-tight unless we
are willing to close off CVS somehow; which is not an idea I favor.
So I'm not particularly concerned about hiding tarballs --- especially
since that's not something we'd do in a normal, non-security release
cycle.  As I said before, keeping it off the mailing lists is probably
sufficient, and in any case has to be our first goal before we start
worrying about any more-invasive procedural changes.
        regards, tom lane
			
		Josh Berkus wrote: > The question is which is more appropriate for the web folks? I'm thinking > -packagers, because the web folks need to know when the actual packages > will be ready and any delays. And a good percentage of us are already on it. /D
Dave Page <dpage@postgresql.org> writes:
> Tom Lane wrote:
>> I could go with using either slaves or -packagers, though I'd lean to
>> the former as helping to avoid useless cross-chatter.  I think the
>> packagers have different concerns as a rule than the webfolk.
> The slaves list is used entirely for cron output and moderation
> messages. It's not a list to try to discuss things on as I, and I'm sure
> some of the other members have unusual recipes on stuff going there.
Oh, OK.  Maybe we do need a whole 'nother list?  But probably -packagers
will do for the moment.
        regards, tom lane
			
		On Mon, 5 Feb 2007, Tom Lane wrote:
> Devrim GUNDUZ <devrim@CommandPrompt.com> writes:
>> * Upload the new tarballs to a private area (instead of public FTP site)
>> so that only packagers and other related people can download them to
>> build the packages, etc.
>
> We're not going to be able to make things really water-tight unless we
> are willing to close off CVS somehow; which is not an idea I favor.
> So I'm not particularly concerned about hiding tarballs --- especially
> since that's not something we'd do in a normal, non-security release
> cycle.  As I said before, keeping it off the mailing lists is probably
> sufficient, and in any case has to be our first goal before we start
> worrying about any more-invasive procedural changes.
I hope we will not go beyond this.
btw, how other OSS projects manage releases ?
Inkscape, for example, just didn't announce it's 0.45 release, but 
all tarballs were available from sourceforge site.
    Regards,        Oleg
_____________________________________________________________
Oleg Bartunov, Research Scientist, Head of AstroNet (www.astronet.ru),
Sternberg Astronomical Institute, Moscow University, Russia
Internet: oleg@sai.msu.su, http://www.sai.msu.su/~megera/
phone: +007(495)939-16-83, +007(495)939-23-83
			
		-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Monday, February 05, 2007 21:58:25 +0000 Dave Page <dpage@postgresql.org> wrote: > Can you hold messages to pgdmin-hackers with say: > "view=rev\n\nLog:\nSecurity: " ? If you give me a proper regex for there, I can put it in and you can test it ... Or is it just: /view=rev\n\nLog:\nSecurity: / that you want me to add? - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFx9vF4QvfyHIvDvMRAkZcAJ9p4TSSIhJ4Xc/ByWqRzelPmBVr5wCglSdR mK7UHOmKJ2m6V2mEpP7XyfE= =QIeX -----END PGP SIGNATURE-----
Marc G. Fournier wrote: > > > --On Monday, February 05, 2007 21:58:25 +0000 Dave Page <dpage@postgresql.org> > wrote: > > >> Can you hold messages to pgdmin-hackers with say: >> "view=rev\n\nLog:\nSecurity: " ? > > If you give me a proper regex for there, I can put it in and you can test it ... > > Or is it just: > > /view=rev\n\nLog:\nSecurity: / > > that you want me to add? If that'll hold the messages then sure, please do. Oh, and please subscribe to the list - I'm getting fed up with approving all your messages. /D
Devrim GUNDUZ a ecrit le 05/02/2007 22:53: > Hello, > > > On Mon, 2007-02-05 at 20:52 +0100, Magnus Hagander wrote: >>> What I need is a non-public list for this, so that I can ask for web >>> site changes 3-4 days ahead without it becoming a news item. >> Will that really help? In this case, the files were uploaded to the >> ftp site long before you made your post to the -www list... Does it >> really make a difference? > > Here is what I have been thinking about this for a while: > > * As now, an announce to -packagers about the new release. > > * Upload the new tarballs to a private area (instead of public FTP site) > so that only packagers and other related people can download them to > build the packages, etc. > > * Win32 binaries, source tarballs and RPMs will be uploaded to another > directory (not to FTP site in developer.postgresql.org) before the > release. > > * After we are done with all of them, (that takes 2 days only), we'll > move this directory to FTP site and wait for propagation. > > Does it look good? It looks good to me if these are the steps to follow for security release only. I update the french manual for each release (even minor ones). Last week, I had some hints that a minor release was going to happen and I kept an eye on the ftp source server (as I do every time a minor release is on its way). Saturday, 7.4, 8.0 and 8.1's french manuals were updated on the SVN repository (see http://svn.postgresqlfr.org/timeline?from=02%2F03%2F07&daysback=0&changeset=on&update=Update). And Sunday, 8.2's french manual was updated (see http://svn.postgresqlfr.org/timeline?from=02%2F04%2F07&daysback=0&changeset=on&update=Update). Sunday evening or Monday morning (I don't quite remember), I uploaded them. I completely understand why you want a private area for security updates. French manual will be available a few days later. But I don't think other releases should take the same steps. I translate beta and RC because it gives me much more time to do it. Actually, I have a full translation available the same day the release is out. And if it was possible that I have access to this private area, it would be great :) -- Guillaume.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 'k, set ... you will want to test it though ... current 'taboo' strings are: /^Security: / /view=rev\n\nLog:\nSecurity: / For those unaware, these will cause the commit message to be queued for moderator approval, so, for instance, when Tom does 'security commits' before a security release, the messages don't go out before the announcement itself ... - --On Tuesday, February 06, 2007 08:32:53 +0000 Dave Page <dpage@postgresql.org> wrote: > Marc G. Fournier wrote: >> >> >> --On Monday, February 05, 2007 21:58:25 +0000 Dave Page >> <dpage@postgresql.org> wrote: >> >> >>> Can you hold messages to pgdmin-hackers with say: >>> "view=rev\n\nLog:\nSecurity: " ? >> >> If you give me a proper regex for there, I can put it in and you can test it >> ... >> >> Or is it just: >> >> /view=rev\n\nLog:\nSecurity: / >> >> that you want me to add? > > If that'll hold the messages then sure, please do. > > Oh, and please subscribe to the list - I'm getting fed up with approving > all your messages. > > /D - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFyIga4QvfyHIvDvMRAtkuAKC/1DN7Z9dGPEVbY46mxZ0RzKZO/ACeLSb7 OvwvQlfACQgoaVoBQ0cCsQU= =HNqN -----END PGP SIGNATURE-----
Marc G. Fournier wrote: > > 'k, set ... you will want to test it though ... > > current 'taboo' strings are: > > /^Security: / Please lose that one - the pgAdmin list is used for general discussion and that string doesn't seem unreasonable to be included in an email. > /view=rev\n\nLog:\nSecurity: / > That should do the job. Thanks, Dave
Dave Page wrote: > Marc G. Fournier wrote: >> 'k, set ... you will want to test it though ... >> >> current 'taboo' strings are: >> >> /^Security: / > > Please lose that one - the pgAdmin list is used for general discussion > and that string doesn't seem unreasonable to be included in an email. > >> /view=rev\n\nLog:\nSecurity: / >> > > That should do the job. Or not - this went straight through: Author: dpage Date: 2007-02-06 13:40:30 +0000 (Tue, 06 Feb 2007) New Revision: 5907 Revision summary: http://svn.pgadmin.org/cgi-bin/viewcvs.cgi/?rev=5907&view=rev Log: Security: Test commit Modified: trunk/pgadmin3/CHANGELOG
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Tuesday, February 06, 2007 14:02:23 +0000 Dave Page <dpage@postgresql.org> wrote: > Marc G. Fournier wrote: >> >> 'k, set ... you will want to test it though ... >> >> current 'taboo' strings are: >> >> /^Security: / > > Please lose that one - the pgAdmin list is used for general discussion > and that string doesn't seem unreasonable to be included in an email. Discuss it with Tom ... he's the one that requested that one ... Wait, you missed something in the thread here (or, I didn't emphasize it enough) .. this is *only* on the committers list, none of the other ones ... its only meant to trap commit messages pertaining to a security release, not security related discussions ... is that why you did that 'long string' below? Cause you thought it was on all lists? :) Sorry, I should have been more clear ... - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFyI7o4QvfyHIvDvMRAt7ZAKCBUJbaJhBSJ6wRnVRF0/OS1F5XSACfeVU8 q8Yek8X09zrBsaAnKZVOutU= =YQxf -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Tuesday, February 06, 2007 14:08:49 +0000 Dave Page <dpage@postgresql.org> wrote: > Dave Page wrote: >> Marc G. Fournier wrote: >>> 'k, set ... you will want to test it though ... >>> >>> current 'taboo' strings are: >>> >>> /^Security: / >> >> Please lose that one - the pgAdmin list is used for general discussion >> and that string doesn't seem unreasonable to be included in an email. >> >>> /view=rev\n\nLog:\nSecurity: / >>> >> >> That should do the job. > > Or not - this went straight through: Of course it would ... the message comes through as something like: view=rev</a>\n\nLog:\nSecurity: the HTTP is a clickable URL ... But, not sure why /^Security: / isn't picking it up like it should ... > > Author: dpage > > Date: 2007-02-06 13:40:30 +0000 (Tue, 06 Feb 2007) > > New Revision: 5907 > > Revision summary: > http://svn.pgadmin.org/cgi-bin/viewcvs.cgi/?rev=5907&view=rev > > Log: > Security: Test commit > > > Modified: > trunk/pgadmin3/CHANGELOG - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFyI9G4QvfyHIvDvMRAhrmAKC+SO1/e408iKGVcfPoTvMJcEm9EwCfdvHY M/sG3rkC7CDPv97ecc97e4U= =wsWC -----END PGP SIGNATURE-----
Marc G. Fournier wrote: > > > --On Tuesday, February 06, 2007 14:02:23 +0000 Dave Page > <dpage@postgresql.org> > wrote: > >> Marc G. Fournier wrote: >>> 'k, set ... you will want to test it though ... >>> >>> current 'taboo' strings are: >>> >>> /^Security: / >> Please lose that one - the pgAdmin list is used for general discussion >> and that string doesn't seem unreasonable to be included in an email. > > Discuss it with Tom ... he's the one that requested that one ... > > Wait, you missed something in the thread here (or, I didn't emphasize it > enough) .. this is *only* on the committers list, none of the other ones ... > its only meant to trap commit messages pertaining to a security release, not > security related discussions ... is that why you did that 'long string' below? > Cause you thought it was on all lists? :) > > Sorry, I should have been more clear ... No *you* missed something :-) The pgAdmin SVN commit messages go to pgadmin-hackers@postgresql.org - my request was that you add the long string to /that/ list. Regards, Dave.
Dave Page <dpage@postgresql.org> writes:
> Dave Page wrote:
>> Marc G. Fournier wrote:
>>> /view=rev\n\nLog:\nSecurity: /
>> 
>> That should do the job.
> Or not - this went straight through:
I was wondering whether the pattern matcher would match across lines.
You might have to settle for the same '^Security: ' pattern.  I'm not
convinced it'd catch as much traffic as all that, and even if it does,
it just goes to the moderation queue ... not the end of the world ...
        regards, tom lane
			
		Marc G. Fournier wrote: > >>>> /view=rev\n\nLog:\nSecurity: / >>>> >>> That should do the job. >> Or not - this went straight through: > > Of course it would ... the message comes through as something like: > > view=rev</a>\n\nLog:\nSecurity: > > the HTTP is a clickable URL ... Only 'cos your MUA renders it as a clickable link - the code that generates the email reads: my @body; push(@body, "Author: $author\n\n"); push(@body, "Date: $date\n\n"); push(@body, "New Revision: $rev\n\n"); push(@body, "Revision summary: http://svn.pgadmin.org/cgi-bin/viewcvs.cgi/?rev=$rev&view=rev\n\n"); push(@body, "Log:\n"); push(@body, @log); push(@body, "\n"); push(@body, "\n"); Regards, Dave
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Tuesday, February 06, 2007 14:24:00 +0000 Dave Page <dpage@postgresql.org> wrote: > Marc G. Fournier wrote: >> >> >> --On Tuesday, February 06, 2007 14:02:23 +0000 Dave Page >> <dpage@postgresql.org> >> wrote: >> >>> Marc G. Fournier wrote: >>>> 'k, set ... you will want to test it though ... >>>> >>>> current 'taboo' strings are: >>>> >>>> /^Security: / >>> Please lose that one - the pgAdmin list is used for general discussion >>> and that string doesn't seem unreasonable to be included in an email. >> >> Discuss it with Tom ... he's the one that requested that one ... >> >> Wait, you missed something in the thread here (or, I didn't emphasize it >> enough) .. this is *only* on the committers list, none of the other ones ... >> its only meant to trap commit messages pertaining to a security release, not >> security related discussions ... is that why you did that 'long string' >> below? Cause you thought it was on all lists? :) >> >> Sorry, I should have been more clear ... > > No *you* missed something :-) The pgAdmin SVN commit messages go to > pgadmin-hackers@postgresql.org - my request was that you add the long > string to /that/ list. Yup, I missed that, sorry ... okay, changed ... try that now, s hould work a wee bit better :) > > Regards, Dave. - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFyJ0U4QvfyHIvDvMRAhQ/AJ4tL/En/EPKE3mpYXXgE5VHeHAx1gCfcqv8 VYj7OLobteyqMpa6tj8XQ/k= =Do7Y -----END PGP SIGNATURE-----
Marc G. Fournier wrote: > >> No *you* missed something :-) The pgAdmin SVN commit messages go to >> pgadmin-hackers@postgresql.org - my request was that you add the long >> string to /that/ list. > > Yup, I missed that, sorry ... okay, changed ... try that now, s hould work a > wee bit better :) Nope, went straight through. Perhaps it's the fact it's multiline as Tom suggested. Wanna try the short string? Regards, Dave
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Done, try that ... but, you can edit taboo_body yourself for the list, no? :) - --On Tuesday, February 06, 2007 15:40:43 +0000 Dave Page <dpage@postgresql.org> wrote: > Marc G. Fournier wrote: >> >>> No *you* missed something :-) The pgAdmin SVN commit messages go to >>> pgadmin-hackers@postgresql.org - my request was that you add the long >>> string to /that/ list. >> >> Yup, I missed that, sorry ... okay, changed ... try that now, s hould work a >> wee bit better :) > > Nope, went straight through. Perhaps it's the fact it's multiline as Tom > suggested. Wanna try the short string? > > Regards, Dave - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFyKgY4QvfyHIvDvMRAieFAKCt60HbxghCJO9ebO74/hOMax7N+wCfVrUI VNxym55nOQEQz1NdZzE3Pxw= =unP2 -----END PGP SIGNATURE-----
Marc G. Fournier wrote: > > Done, try that ... but, you can edit taboo_body yourself for the list, no? :) I could, but you know it better than I do :-p /D
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Tuesday, February 06, 2007 16:16:11 +0000 Dave Page <dpage@postgresql.org> wrote: > Marc G. Fournier wrote: >> >> Done, try that ... but, you can edit taboo_body yourself for the list, no? :) > > I could, but you know it better than I do :-p Ya, I used it about a week so far ... much more experience with it >:) - ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFyL0M4QvfyHIvDvMRAgRcAKDNynrzejdNP6LPf/Kry0Hn2WMuUgCg1Hhq cnIWUe3jrOWHgjTo/uHXviA= =QgOW -----END PGP SIGNATURE-----