Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSRZN-00GZbs-3c for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Dec 2024 02:01:17 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tSRZL-00Gphh-Lf for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Dec 2024 02:01:15 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSRZL-00GphZ-Ar for pgsql-hackers@lists.postgresql.org; Tue, 31 Dec 2024 02:01:15 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSRZI-002Qsq-1O for pgsql-hackers@lists.postgresql.org; Tue, 31 Dec 2024 02:01:14 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 4BV20xNV3999106; Mon, 30 Dec 2024 21:00:59 -0500 From: Tom Lane To: Michael Paquier cc: Bruce Momjian , Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= , pgsql-hackers@lists.postgresql.org, Christoph Berg Subject: Re: Backport of CVE-2024-10978 fix to older pgsql versions (11, 9.6, and 9.4) In-reply-to: References: Comments: In-reply-to Michael Paquier message dated "Tue, 31 Dec 2024 10:23:29 +0900" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3999104.1735610459.1@sss.pgh.pa.us> Date: Mon, 30 Dec 2024 21:00:59 -0500 Message-ID: <3999105.1735610459@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Michael Paquier writes: > On Mon, Dec 30, 2024 at 04:58:26PM -0500, Bruce Momjian wrote: >> Is our five-year insufficient? > FWIW, I'm already on the side that five-year support is quite good and > I'd side with not extending that, even argue about reducing it > (anti-tomato armor is now on). Backporting patches across up to 7 > branches can be really tedious depending on what you are dealing with > in the backend. Yeah, I can't see extending it, at least not under our current theory of back-patching (nearly) every bug fix to all supported branches. Could there be an intermediate state where older branches get only "critical" fixes? (Security and data-loss bugs only, IMV.) Another not-necessarily-exclusive idea is to designate only certain branches as LTS. We could free up the developer bandwidth needed for LTS by shortening the period in which non-LTS branches get full support. This ties into a criticism I have of the criteria that outfits like Debian and Red Hat seem to have for back-patching bug fixes: if it's labeled "CVE" then it must get fixed, even for something as narrow and low-impact as CVE-2024-10978. Meanwhile, even very critical data-loss bugs are typically ignored. For a database, this verges on insanity. Maybe, if we were doing an only-critical-fixes LTS release series, it'd be easier for downstream outfits to consume that instead of cherry-picking security fixes. I'm just speculating though. It's entirely possible that packagers would ignore our opinions and keep on cherry-picking only security fixes, in which case we'd be doing a lot of work for little return. regards, tom lane