Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1vTf9y-006t87-0B
	for pgsql-pkg-debian@arkaria.postgresql.org;
	Thu, 11 Dec 2025 11:48:38 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-pkg-debian-owner+archive@lists.postgresql.org>)
	id 1vTf9x-003Z6p-0E
	for pgsql-pkg-debian@arkaria.postgresql.org;
	Thu, 11 Dec 2025 11:48:37 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <cb@df7cb.de>)
	id 1vTf9w-003Z6e-2p
	for pgsql-pkg-debian@lists.postgresql.org;
	Thu, 11 Dec 2025 11:48:37 +0000
Received: from goedel.df7cb.de ([49.13.90.212])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <cb@df7cb.de>)
	id 1vTf9u-0009n4-2q
	for pgsql-pkg-debian@postgresql.org;
	Thu, 11 Dec 2025 11:48:37 +0000
Received: from msg.df7cb.de (unknown
 [IPv6:2a02:908:1472:9340:f0ad:fc6e:9c86:f1dc])
	by goedel.df7cb.de (Postfix) with ESMTPSA id 8F6BE4690A;
	Thu, 11 Dec 2025 11:48:33 +0000 (UTC)
Date: Thu, 11 Dec 2025 12:48:32 +0100
From: Christoph Berg <myon@debian.org>
To: Wim Bertels <wim.bertels@ucll.be>
Cc: "pgsql-pkg-debian@postgresql.org" <pgsql-pkg-debian@postgresql.org>
Subject: Re: separate security tag?
Message-ID: <aTqvkMw2Ef6u0hhp@msg.df7cb.de>
Mail-Followup-To: Christoph Berg <myon@debian.org>,
	Wim Bertels <wim.bertels@ucll.be>,
	"pgsql-pkg-debian@postgresql.org" <pgsql-pkg-debian@postgresql.org>
References: <689a929e29a5b0bffd4b0878b963952131ee2f3c.camel@ucll.be>
 <aTl6LUy0tU1s9xer@msg.df7cb.de>
 <2749022a766c1ed575f5adee99da76de480f8a4c.camel@ucll.be>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2749022a766c1ed575f5adee99da76de480f8a4c.camel@ucll.be>
List-Id: <pgsql-pkg-debian.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-debian@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-debian-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-debian>
Archived-At: 
 <https://www.postgresql.org/message-id/aTqvkMw2Ef6u0hhp%40msg.df7cb.de>
Precedence: bulk

Re: Wim Bertels
> so the question then becomes:
> could it be possible to have a
> security.postgresql.org
> and
> apt.postgresql.org

We could have separate suites foo-pgdg-security instead.

But I think that doesn't really solve the problem because it has too
many sub-dimensions. Say you switched to the apt.pg.o version of
pgbouncer because you wanted a newer feature. Would you later want
only security updates for it? If someone else switches to it later for
another feature, would we have to maintain pgbouncer-feature1-security
and pgbouncer-feature2-security? For the server packages, the
discussion is similar.

This would be a huge extra effort, and the problem space is already
complicated enough. If you want stable stable, use what is in Debian.
If you want newer versions, go with apt.pg.o.

I already try to mention CVEs in the package changelogs, though
sometimes I miss them. I could try to make sure that happens more
often.

Christoph