| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Andres Freund <andres(at)anarazel(dot)de>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Security lessons from liblzma |
| Date: | 2024-04-09 02:57:27 |
| Message-ID: | ZhSul1Ce2chfbNMM@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Mar 30, 2024 at 04:50:26PM -0400, Robert Haas wrote:
> An awful lot of what we do operates on the principle that we know the
> people who are involved and trust them, and I'm glad we do trust them,
> but the world is full of people who trusted somebody too much and
> regretted it afterwards. The fact that we have many committers rather
> than a single maintainer probably reduces risk at least as far as the
> source repository is concerned, because there are more people paying
> attention to potentially notice something that isn't as it should be.
One unwritten requirement for committers is that we are able to
communicate with them securely. If we cannot do that, they potentially
could be forced by others, e.g., governments, to add code to our
repositories.
Unfortunately, there is on good way for them to communicate with us
securely once they are unable to communicate with us securely. I
suppose some special word could be used to communicate that status ---
that is how it was done in non-electronic communication in the past.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2024-04-09 03:25:43 | Re: Fixup a few 2023 copyright years |
| Previous Message | Thomas Munro | 2024-04-09 02:55:42 | Experimental prefetching of buffer memory |