X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org
Received: from localhost (av.hub.org [200.46.204.144])
	by svr1.postgresql.org (Postfix) with ESMTP id 0B6A1DC55A
	for <pgsql-www-postgresql.org@localhost.postgresql.org>;
	Sun, 27 Nov 2005 13:16:38 -0400 (AST)
Received: from svr1.postgresql.org ([200.46.204.71])
	by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024)
	with ESMTP id 70018-03
	for <pgsql-www-postgresql.org@localhost.postgresql.org>;
	Sun, 27 Nov 2005 13:16:36 -0400 (AST)
X-Greylist: from auto-whitelisted by SQLgrey-
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
	by svr1.postgresql.org (Postfix) with ESMTP id 77676DBFCF
	for <pgsql-www@postgresql.org>; Sun, 27 Nov 2005 13:16:35 -0400 (AST)
Received: from sss2.sss.pgh.pa.us (tgl@localhost [127.0.0.1])
	by sss.pgh.pa.us (8.13.1/8.13.1) with ESMTP id jARHGXG1002804;
	Sun, 27 Nov 2005 12:16:33 -0500 (EST)
To: "Magnus Hagander" <mha@sollentuna.net>
cc: pgsql-www@postgresql.org, "Simon Riggs" <simon@2ndquadrant.com>
Subject: Re: Security information page 
In-reply-to: <6BCB9D8A16AC4241919521715F4D8BCE92E8A9@algol.sollentuna.se> 
References: <6BCB9D8A16AC4241919521715F4D8BCE92E8A9@algol.sollentuna.se>
Comments: In-reply-to "Magnus Hagander" <mha@sollentuna.net>
	message dated "Sun, 27 Nov 2005 13:46:13 +0100"
Date: Sun, 27 Nov 2005 12:16:33 -0500
Message-ID: <2803.1133111793@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
X-Virus-Scanned: by amavisd-new at hub.org
X-Spam-Status: No, score=0.004 required=5 tests=[AWL=0.004]
X-Spam-Score: 0.004
X-Spam-Level: 
X-Archive-Number: 200511/155
X-Sequence-Number: 8870

"Magnus Hagander" <mha@sollentuna.net> writes:
> Per some discussion last week, I've put together a page with security
> information. Basically an introduction written by Simon and a table I
> pulled together by going through the CVE list and matching it up with
> our cvs versions.

: All security issues are always fixed in the next major release, when
: it comes out.

Perhaps "all known security issues..."  The statement as made is
hopelessly hubristic.

Please remove the statements about how we will respond within X hours or
days.  That has nothing to do with reality.  (Reality is that we are
often constrained by CVE publication dates if the fix is trivial, and
if it isn't trivial then it won't be fixed instantly anyway.)  I'd lose
the whole paragraph beginning "PGDG's aim ..."

I think the bit about "Our goal is to gain and maintain CVE-compatible
status" is bogus.  As near as I can tell, Mitre's definition of CVE
compatibility applies to security products (eg, vulnerability scanners)
which Postgres is not.  You could maybe say that this one web page is
something that could apply for CVE compatibility status, but are we
going to jump through those hoops for one web page?  Nyet.

The list seems a bit short; did you look through the release notes for
items that seem to be security issues?  I suspect there are some that
don't have CVE names.

			regards, tom lane