X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org
Received: from localhost (av.hub.org [200.46.204.144])
	by svr1.postgresql.org (Postfix) with ESMTP id 46E95D7038
	for <pgsql-www-postgresql.org@localhost.postgresql.org>;
	Sun, 27 Nov 2005 18:51:10 -0400 (AST)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024)
	with ESMTP id 39506-10
	for <pgsql-www-postgresql.org@localhost.postgresql.org>;
	Sun, 27 Nov 2005 18:51:10 -0400 (AST)
X-Greylist: from auto-whitelisted by SQLgrey-
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54])
	by svr1.postgresql.org (Postfix) with ESMTP id A19F2D700B
	for <pgsql-www@postgresql.org>; Sun, 27 Nov 2005 18:51:07 -0400 (AST)
Received: from [192.168.0.4] (213-208-104-206.dyn.gotadsl.co.uk
	[213.208.104.206]) by smtp.nildram.co.uk (Postfix) with ESMTP
	id C16022545F6; Sun, 27 Nov 2005 22:51:01 +0000 (GMT)
Subject: Re: Security information page
From: Simon Riggs <simon@2ndquadrant.com>
To: Magnus Hagander <mha@sollentuna.net>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-www@postgresql.org
In-Reply-To: <6BCB9D8A16AC4241919521715F4D8BCE92E8B0@algol.sollentuna.se>
References: <6BCB9D8A16AC4241919521715F4D8BCE92E8B0@algol.sollentuna.se>
Content-Type: text/plain
Date: Sun, 27 Nov 2005 22:51:05 +0000
Message-Id: <1133131865.2906.234.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.3 (2.2.3-2.fc4) 
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at hub.org
X-Spam-Status: No, score=0 required=5 tests=[none]
X-Spam-Score: 0
X-Spam-Level: 
X-Archive-Number: 200511/161
X-Sequence-Number: 8876

On Sun, 2005-11-27 at 21:52 +0100, Magnus Hagander wrote:
..Tom Lane wrote
> > I think the bit about "Our goal is to gain and maintain 
> > CVE-compatible status" is bogus.  As near as I can tell, 
> > Mitre's definition of CVE compatibility applies to security 
> > products (eg, vulnerability scanners) which Postgres is not.  
> 
> Um. Not really - products like Debian are CVE compatible
> (http://www.us.debian.org/security/cve-compatibility), so it's not just
> for security products.
> 
> > You could maybe say that this one web page is something that 
> > could apply for CVE compatibility status, but are we going to 
> > jump through those hoops for one web page?  Nyet.
> 
> Right. I'll take that off until such a time as we're further along that
> process (see Simons mails).

I'll re-raise this as a separate item, later; one step at a time.

> Looks better now?

And the first step looks very good now.

Best Regards, Simon Riggs