X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by svr1.postgresql.org (Postfix) with ESMTP id 3AA58DC8C2 for ; Sun, 27 Nov 2005 14:56:22 -0400 (AST) Received: from svr1.postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 09770-02-4 for ; Sun, 27 Nov 2005 14:56:11 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey- Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by svr1.postgresql.org (Postfix) with ESMTP id 3D248DCA4B for ; Sun, 27 Nov 2005 13:55:23 -0400 (AST) Received: from [192.168.0.4] (213-208-104-206.dyn.gotadsl.co.uk [213.208.104.206]) by smtp.nildram.co.uk (Postfix) with ESMTP id E4FC7254C5A; Sun, 27 Nov 2005 17:55:19 +0000 (GMT) Subject: Re: Security information page From: Simon Riggs To: Tom Lane Cc: Magnus Hagander , pgsql-www@postgresql.org In-Reply-To: <2803.1133111793@sss.pgh.pa.us> References: <6BCB9D8A16AC4241919521715F4D8BCE92E8A9@algol.sollentuna.se> <2803.1133111793@sss.pgh.pa.us> Content-Type: text/plain Date: Sun, 27 Nov 2005 17:55:22 +0000 Message-Id: <1133114122.2906.194.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 (2.2.3-2.fc4) Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0 required=5 tests=[none] X-Spam-Score: 0 X-Spam-Level: X-Archive-Number: 200511/157 X-Sequence-Number: 8872 On Sun, 2005-11-27 at 12:16 -0500, Tom Lane wrote: > "Magnus Hagander" writes: > > Per some discussion last week, I've put together a page with security > > information. Basically an introduction written by Simon and a table I > > pulled together by going through the CVE list and matching it up with > > our cvs versions. > > : All security issues are always fixed in the next major release, when > : it comes out. > > Perhaps "all known security issues..." The statement as made is > hopelessly hubristic. Agreed. I'm sure Magnus meant that. > Please remove the statements about how we will respond within X hours or > days. That has nothing to do with reality. (Reality is that we are > often constrained by CVE publication dates if the fix is trivial, and > if it isn't trivial then it won't be fixed instantly anyway.) The wording was "typically", there is no "will do this" statement, so its not a binding Service Level Agreement or anything. In terms of what has happened in the last couple of years, I thought it was a reasonable statement. It wasn't meant to be hype. If we can agree a worthwhile and accurate statement I'd ask that we keep it; if we can't then it should go. > I'd lose > the whole paragraph beginning "PGDG's aim ..." The line about our aim was part of the wording required (not exact, I hasten to add) for CVE-compatibility... > I think the bit about "Our goal is to gain and maintain CVE-compatible > status" is bogus. As near as I can tell, Mitre's definition of CVE > compatibility applies to security products (eg, vulnerability scanners) > which Postgres is not. You could maybe say that this one web page is > something that could apply for CVE compatibility status, but are we > going to jump through those hoops for one web page? Nyet. There aren't that many hoops and I have volunteered to do the paperwork. There isn't much else we need to do, apart from maintain the page. If it gets more complex, then I'd agree the effort isn't worth it and withdraw those comments. > The list seems a bit short; did you look through the release notes for > items that seem to be security issues? I suspect there are some that > don't have CVE names. OK. I think we should publish this to -hackers and ask people to check it before we put it up on the site. Best Regards, Simon Riggs