public inbox for [email protected]
help / color / mirror / Atom feedFrom: Simon Riggs <[email protected]>
To: Tom Lane <[email protected]>
Cc: Magnus Hagander <[email protected]>
Cc: [email protected]
Subject: Re: Security information page
Date: Sun, 27 Nov 2005 17:55:22 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
On Sun, 2005-11-27 at 12:16 -0500, Tom Lane wrote:
> "Magnus Hagander" <[email protected]> writes:
> > Per some discussion last week, I've put together a page with security
> > information. Basically an introduction written by Simon and a table I
> > pulled together by going through the CVE list and matching it up with
> > our cvs versions.
>
> : All security issues are always fixed in the next major release, when
> : it comes out.
>
> Perhaps "all known security issues..." The statement as made is
> hopelessly hubristic.
Agreed. I'm sure Magnus meant that.
> Please remove the statements about how we will respond within X hours or
> days. That has nothing to do with reality. (Reality is that we are
> often constrained by CVE publication dates if the fix is trivial, and
> if it isn't trivial then it won't be fixed instantly anyway.)
The wording was "typically", there is no "will do this" statement, so
its not a binding Service Level Agreement or anything.
In terms of what has happened in the last couple of years, I thought it
was a reasonable statement. It wasn't meant to be hype. If we can agree
a worthwhile and accurate statement I'd ask that we keep it; if we can't
then it should go.
> I'd lose
> the whole paragraph beginning "PGDG's aim ..."
The line about our aim was part of the wording required (not exact, I
hasten to add) for CVE-compatibility...
> I think the bit about "Our goal is to gain and maintain CVE-compatible
> status" is bogus. As near as I can tell, Mitre's definition of CVE
> compatibility applies to security products (eg, vulnerability scanners)
> which Postgres is not. You could maybe say that this one web page is
> something that could apply for CVE compatibility status, but are we
> going to jump through those hoops for one web page? Nyet.
There aren't that many hoops and I have volunteered to do the paperwork.
There isn't much else we need to do, apart from maintain the page.
If it gets more complex, then I'd agree the effort isn't worth it and
withdraw those comments.
> The list seems a bit short; did you look through the release notes for
> items that seem to be security issues? I suspect there are some that
> don't have CVE names.
OK. I think we should publish this to -hackers and ask people to check
it before we put it up on the site.
Best Regards, Simon Riggs
view thread (12+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Security information page
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox