X-Original-To: pgsql-bugs-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by svr1.postgresql.org (Postfix) with ESMTP id 7BD90DBDEE; Fri, 25 Nov 2005 14:47:07 -0400 (AST) Received: from svr1.postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 65615-04; Fri, 25 Nov 2005 18:47:05 +0000 (GMT) X-Greylist: from auto-whitelisted by SQLgrey- X-Greylist: from auto-whitelisted by SQLgrey- Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by svr1.postgresql.org (Postfix) with ESMTP id D3709DBDA0; Fri, 25 Nov 2005 14:47:02 -0400 (AST) Received: from [192.168.0.4] (213-208-104-206.dyn.gotadsl.co.uk [213.208.104.206]) by smtp.nildram.co.uk (Postfix) with ESMTP id F311D256225; Fri, 25 Nov 2005 18:46:54 +0000 (GMT) Subject: Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept From: Simon Riggs To: Bruce Momjian Cc: Tom Lane , Stephen Frost , pgsql-hackers@postgresql.org, Ferindo Middleton , pgsql-bugs@postgresql.org In-Reply-To: <200511251720.jAPHKN412761@candle.pha.pa.us> References: <200511251720.jAPHKN412761@candle.pha.pa.us> Content-Type: text/plain Date: Fri, 25 Nov 2005 18:46:57 +0000 Message-Id: <1132944417.2906.23.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 (2.2.3-2.fc4) Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0 required=5 tests=[none] X-Spam-Score: 0 X-Spam-Level: X-Archive-Number: 200511/263 X-Sequence-Number: 13627 On Fri, 2005-11-25 at 12:20 -0500, Bruce Momjian wrote: > Simon Riggs wrote: > > On Fri, 2005-11-18 at 09:32 -0500, Tom Lane wrote: > > > All known CVE problems are resolved in 8.0.4. > > > > It seems like we need a much clearer resource for security admins to > > check our compliance levels. This could be a source of similar > > refusal-to-implement PostgreSQL at other installations, so could almost > > be regarded as an advocacy issue. Other software projects have been > > criticized badly for their security response and info dissemination - I > > don't believe that applies here, but it does indicate the general > > requirement and its priority. i.e. don't just fix the bugs, tell > > everyone you've fixed the bugs. > Well, as the original poster mentioned, they were looking for a reason > _not_ to use PostgreSQL, and if that is the goal, you can find a reason, > error numbers or not. I think that's true, but it should be our goal to remove all excuses so that people have to face up to the real issues. I see this as advocacy in many ways. > I am not excited about referencing error numbers from someone else. We > know our errors better than anyone else, so I don't see the point. I think if you don't want to put those on the release notes, thats fine; we know you're busy. Others have spoken in favour of a web page, separate from the release notes, and as Tom points out its easier to do it that way retrospectively anyway. *We* do know our errors, but thats not the point. CVE is becoming an accepted standard for referring to security exposures and we should follow this trend. http://www.cve.mitre.org/about/introduction.html CVE isn't just somebody else's bugtrack numbers, they're big. Debian, Gentoo, RedHat, IBM, CA etc already do this. Unless somebody else wants to do this, I'll discuss on -www how we can get a page up on the .org site with this info on, so that we can be "CVE compatible". Best Regards, Simon Riggs