public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Magnus Hagander <[email protected]>
Cc: [email protected]
Cc: Simon Riggs <[email protected]>
Subject: Re: Security information page
Date: Sun, 27 Nov 2005 12:16:33 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
"Magnus Hagander" <[email protected]> writes:
> Per some discussion last week, I've put together a page with security
> information. Basically an introduction written by Simon and a table I
> pulled together by going through the CVE list and matching it up with
> our cvs versions.
: All security issues are always fixed in the next major release, when
: it comes out.
Perhaps "all known security issues..." The statement as made is
hopelessly hubristic.
Please remove the statements about how we will respond within X hours or
days. That has nothing to do with reality. (Reality is that we are
often constrained by CVE publication dates if the fix is trivial, and
if it isn't trivial then it won't be fixed instantly anyway.) I'd lose
the whole paragraph beginning "PGDG's aim ..."
I think the bit about "Our goal is to gain and maintain CVE-compatible
status" is bogus. As near as I can tell, Mitre's definition of CVE
compatibility applies to security products (eg, vulnerability scanners)
which Postgres is not. You could maybe say that this one web page is
something that could apply for CVE compatibility status, but are we
going to jump through those hoops for one web page? Nyet.
The list seems a bit short; did you look through the release notes for
items that seem to be security issues? I suspect there are some that
don't have CVE names.
regards, tom lane
view thread (12+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Security information page
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox