public inbox for [email protected]
help / color / mirror / Atom feedFrom: Magnus Hagander <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Cc: Simon Riggs <[email protected]>
Subject: Re: Security information page
Date: Sun, 27 Nov 2005 21:52:37 +0100
Message-ID: <[email protected]> (raw)
> > Per some discussion last week, I've put together a page
> with security
> > information. Basically an introduction written by Simon and
> a table I
> > pulled together by going through the CVE list and matching
> it up with
> > our cvs versions.
>
> : All security issues are always fixed in the next major release, when
> : it comes out.
>
> Perhaps "all known security issues..." The statement as made
> is hopelessly hubristic.
Typo. Thanks. Certainly didn't intend it as anything else than all
*known*.
> Please remove the statements about how we will respond within
> X hours or days. That has nothing to do with reality.
> (Reality is that we are often constrained by CVE publication
> dates if the fix is trivial, and if it isn't trivial then it
> won't be fixed instantly anyway.) I'd lose the whole
> paragraph beginning "PGDG's aim ..."
Ok. I'll zap it. I guess it can be read as a promise, which it really
isn't. "Marketing info" about the speed of patching probably belongs on
a different page.
> I think the bit about "Our goal is to gain and maintain
> CVE-compatible status" is bogus. As near as I can tell,
> Mitre's definition of CVE compatibility applies to security
> products (eg, vulnerability scanners) which Postgres is not.
Um. Not really - products like Debian are CVE compatible
(http://www.us.debian.org/security/cve-compatibility), so it's not just
for security products.
> You could maybe say that this one web page is something that
> could apply for CVE compatibility status, but are we going to
> jump through those hoops for one web page? Nyet.
Right. I'll take that off until such a time as we're further along that
process (see Simons mails).
Looks better now?
> The list seems a bit short; did you look through the release
> notes for items that seem to be security issues? I suspect
> there are some that don't have CVE names.
No, I cheated and did only the CVE list, hoping they did their homework
;-). Limiting the list to 7.3+ cut it dow nquite a bit.
I'll go through the release notes and see what I can find.
Point-releases only should be enough, right? (since they'd be
back-patched from HEAD when found).
Thanks for your quick review!
//Magnus
view thread (12+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Security information page
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox