public inbox for [email protected]
help / color / mirror / Atom feedFrom: Christoph Berg <[email protected]>
To: Wim Bertels <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: separate security tag?
Date: Thu, 11 Dec 2025 12:48:32 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
Re: Wim Bertels
> so the question then becomes:
> could it be possible to have a
> security.postgresql.org
> and
> apt.postgresql.org
We could have separate suites foo-pgdg-security instead.
But I think that doesn't really solve the problem because it has too
many sub-dimensions. Say you switched to the apt.pg.o version of
pgbouncer because you wanted a newer feature. Would you later want
only security updates for it? If someone else switches to it later for
another feature, would we have to maintain pgbouncer-feature1-security
and pgbouncer-feature2-security? For the server packages, the
discussion is similar.
This would be a huge extra effort, and the problem space is already
complicated enough. If you want stable stable, use what is in Debian.
If you want newer versions, go with apt.pg.o.
I already try to mention CVEs in the package changelogs, though
sometimes I miss them. I could try to make sure that happens more
often.
Christoph
view thread (5+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: separate security tag?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox