Thread

  1. recent security activity

    Thomas F.O'Connell <tfo@monsterlabs.com> — 2002-08-22T16:05:49Z

    does the recent security activity, including several reported exploits 
    and patches, as well as the mention of creation of an audit team merit 
    the creation of a new pgsql-security list?
    
    as someone working with a paranoid sysadmin, i'd find it to be of use...
    
    any thoughts? would there be sufficient traffic? maybe the list would 
    actually _help_ generate traffic?
    
    -tfo
    
    
  2. Re: recent security activity

    Greg Copeland <greg@copelandconsulting.net> — 2002-08-22T22:41:03Z

    I think that's an excellent idea.  It would allow people to subscribe to
    what would seemingly be a low volume mailing list and still be alerted
    to possible issues they should be aware of.
    
    Sign,
    
    	Greg Copeland
    
    
    
    On Thu, 2002-08-22 at 11:05, Thomas O'Connell wrote:
    > does the recent security activity, including several reported exploits 
    > and patches, as well as the mention of creation of an audit team merit 
    > the creation of a new pgsql-security list?
    > 
    > as someone working with a paranoid sysadmin, i'd find it to be of use...
    > 
    > any thoughts? would there be sufficient traffic? maybe the list would 
    > actually _help_ generate traffic?
    > 
    > -tfo
    > 
    > ---------------------------(end of broadcast)---------------------------
    > TIP 6: Have you searched our list archives?
    > 
    > http://archives.postgresql.org
    
    
  3. Re: recent security activity

    Neil Conway <neilc@samurai.com> — 2002-08-22T22:48:40Z

    Greg Copeland <greg@CopelandConsulting.Net> writes:
    > I think that's an excellent idea.  It would allow people to subscribe to
    > what would seemingly be a low volume mailing list and still be alerted
    > to possible issues they should be aware of.
    
    Would the purpose of the list be for publicizing vulnerabilities and
    patches, or for the discussion of potential security problems, code
    auditing, and related development activity?
    
    If the former, I think pgsql-announce is adequate for that purpose. If
    the latter, I'd rather see that kind of discussion on -hackers, so
    that other developers are aware of what's going on.
    
    Cheers,
    
    Neil
    
    -- 
    Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
    
    
    
  4. Re: recent security activity

    Tom Lane <tgl@sss.pgh.pa.us> — 2002-08-22T23:07:05Z

    Neil Conway <neilc@samurai.com> writes:
    > Would the purpose of the list be for publicizing vulnerabilities and
    > patches, or for the discussion of potential security problems, code
    > auditing, and related development activity?
    
    > If the former, I think pgsql-announce is adequate for that purpose. If
    > the latter, I'd rather see that kind of discussion on -hackers, so
    > that other developers are aware of what's going on.
    
    Also worth noting in this connection: if someone wants to report a
    security issue to the developers *without* publicizing it (as used to
    be considered good form), you can send to the pgsql-core mailing list.
    This goes to just the core committee members and is not archived anywhere
    public.
    
    I tend to agree with Neil that a separate -security list isn't needed,
    but will not stand in the way if there's sufficient interest.
    
    			regards, tom lane
    
    
  5. Re: recent security activity

    Greg Copeland <greg@copelandconsulting.net> — 2002-08-23T12:37:06Z

    I assumed it would be for patches and security alerts with followups as
    needed.
    
    I can see where use of announce can serve this purpose, however, if
    someone is solely interested in the security advisory aspects, they may
    not care about the announcement-of-the-day.
    
    Just food for thought.  I can see why you wouldn't want another
    list..otoh, I can see where someone may not want to monitor announce for
    the sole purpose of watching for security advisories and patches.
    
    Perhaps the use of "[SECURITY]" in the subject, or some such item, would
    better address the issue and simply continue to use announce?  That way,
    MUA filters can easily be used to find and highlight items of interest.
    
    
    Greg
    
    
    
    On Thu, 2002-08-22 at 17:48, Neil Conway wrote:
    > Greg Copeland <greg@CopelandConsulting.Net> writes:
    > > I think that's an excellent idea.  It would allow people to subscribe to
    > > what would seemingly be a low volume mailing list and still be alerted
    > > to possible issues they should be aware of.
    > 
    > Would the purpose of the list be for publicizing vulnerabilities and
    > patches, or for the discussion of potential security problems, code
    > auditing, and related development activity?
    > 
    > If the former, I think pgsql-announce is adequate for that purpose. If
    > the latter, I'd rather see that kind of discussion on -hackers, so
    > that other developers are aware of what's going on.
    >