On Tue, Apr 9, 2013 at 10:14 AM, Stephen Frost <sfrost@snowman.net> wrote:
Weighing the needs of various communities along with their risk profiles and trustworthiness is a very difficult thing, but once vetted and approved for early access, they should be encouraged to do as much as they can to ensure they are not vulnerable provided that they are able to do so without disclosing sensetive information.
This is a crucial point.
Another important aspect of PostgreSQL is that we are a collective, rather than a company. We don't have, for example, a legal entity of record that could legitimately accept NDAs on behalf of our developers. (More than one vendor brought up "sign an NDA" as a way to get early access, and that's not a reasonable option for adding people to pgsql-security or pgsql-packagers.)
So, we require contributors who package up our software to build trust among our developers as a matter of policy.
We haven't specifically described what that trust looks like or how to build up that trust in a formal way. However, most of the developers who are part of this community have a feeling of what "building up trust among PostgreSQL developers" means. My guess is, the new security policy will make what that phrase means a bit more clear. And, will include something about how -core will reserve the right to make a final judgment about who should and shouldn't be given access to pre-release security patches.
There will always be some element of judgment involved -- where a new kind of situation, a new kind of security vulnerability tests the informal and formal policies that a group has established. An important meta-policy is: how do we make changes to the existing informal and formal policies/processes?
For us, it appears that having a debate on -advocacy is one of the ways to influence the outcome. Another way, probably, is to maintain a software distribution package that many people outside the immediate PostgreSQL community depend on. And the most obvious way to influence this policy is to be a member of -core.