> Another important aspect of PostgreSQL is that we are a collective, rather > than a company. We don't have, for example, a legal entity of record that > could legitimately accept NDAs on behalf of our developers. (More than one > vendor brought up "sign an NDA" as a way to get early access, and that's > not a reasonable option for adding people to pgsql-security or > pgsql-packagers.)
I wouldn't encourage this- but we do have a legal entity through SPI. Were we, as a community, open to using 'signed an NDA' as sufficient trust, using SPI as the entity could work. To be honest, I don't think that we, collectively, feel that a signed NDA is sufficient.
As far as I know, our association with SPI hasn't been empowered to sign contracts on behalf of PGDG. They don't even hold any trademarks for us. PGDG's association with SPI is to receive donations and disperse grants. Happy to be corrected if I am mistaken on those points.
We also have several other non-profits whose missions are varied.
None are empowered to sign contracts or legally represent the developers who make up PGDG.