Neil Conway <neilc@samurai.com> writes:
> Would the purpose of the list be for publicizing vulnerabilities and
> patches, or for the discussion of potential security problems, code
> auditing, and related development activity?
> If the former, I think pgsql-announce is adequate for that purpose. If
> the latter, I'd rather see that kind of discussion on -hackers, so
> that other developers are aware of what's going on.
Also worth noting in this connection: if someone wants to report a
security issue to the developers *without* publicizing it (as used to
be considered good form), you can send to the pgsql-core mailing list.
This goes to just the core committee members and is not archived anywhere
public.
I tend to agree with Neil that a separate -security list isn't needed,
but will not stand in the way if there's sufficient interest.
regards, tom lane