X-Original-To: pgsql-www-postgresql.org@localhost.postgresql.org Received: from localhost (av.hub.org [200.46.204.144]) by svr1.postgresql.org (Postfix) with ESMTP id 47F49DAB3B for ; Sun, 27 Nov 2005 16:52:38 -0400 (AST) Received: from svr1.postgresql.org ([200.46.204.71]) by localhost (av.hub.org [200.46.204.144]) (amavisd-new, port 10024) with ESMTP id 25951-01 for ; Sun, 27 Nov 2005 16:52:37 -0400 (AST) X-Greylist: from auto-whitelisted by SQLgrey- Received: from mx-2.sollentuna.net (mx-2.sollentuna.net [195.84.163.199]) by svr1.postgresql.org (Postfix) with ESMTP id 879D0DA85A for ; Sun, 27 Nov 2005 16:52:35 -0400 (AST) Received: from ALGOL.sollentuna.se (janus.sollentuna.se [62.65.68.67]) by mx-2.sollentuna.net (Postfix) with ESMTP id 4D2158F282; Sun, 27 Nov 2005 21:52:36 +0100 (CET) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Subject: Re: Security information page Date: Sun, 27 Nov 2005 21:52:37 +0100 Message-ID: <6BCB9D8A16AC4241919521715F4D8BCE92E8B0@algol.sollentuna.se> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [pgsql-www] Security information page thread-index: AcXzdlSnbqgsizBKQIqkziWy/beFhgAHNVQw From: "Magnus Hagander" To: "Tom Lane" Cc: , "Simon Riggs" X-Virus-Scanned: by amavisd-new at hub.org X-Spam-Status: No, score=0.001 required=5 tests=[AWL=0.001] X-Spam-Score: 0.001 X-Spam-Level: X-Archive-Number: 200511/159 X-Sequence-Number: 8874 > > Per some discussion last week, I've put together a page=20 > with security=20 > > information. Basically an introduction written by Simon and=20 > a table I=20 > > pulled together by going through the CVE list and matching=20 > it up with=20 > > our cvs versions. >=20 > : All security issues are always fixed in the next major release, when > : it comes out. >=20 > Perhaps "all known security issues..." The statement as made=20 > is hopelessly hubristic. Typo. Thanks. Certainly didn't intend it as anything else than all *known*. > Please remove the statements about how we will respond within=20 > X hours or days. That has nothing to do with reality. =20 > (Reality is that we are often constrained by CVE publication=20 > dates if the fix is trivial, and if it isn't trivial then it=20 > won't be fixed instantly anyway.) I'd lose the whole=20 > paragraph beginning "PGDG's aim ..." Ok. I'll zap it. I guess it can be read as a promise, which it really isn't. "Marketing info" about the speed of patching probably belongs on a different page. > I think the bit about "Our goal is to gain and maintain=20 > CVE-compatible status" is bogus. As near as I can tell,=20 > Mitre's definition of CVE compatibility applies to security=20 > products (eg, vulnerability scanners) which Postgres is not. =20 Um. Not really - products like Debian are CVE compatible (http://www.us.debian.org/security/cve-compatibility), so it's not just for security products. > You could maybe say that this one web page is something that=20 > could apply for CVE compatibility status, but are we going to=20 > jump through those hoops for one web page? Nyet. Right. I'll take that off until such a time as we're further along that process (see Simons mails). Looks better now? > The list seems a bit short; did you look through the release=20 > notes for items that seem to be security issues? I suspect=20 > there are some that don't have CVE names. No, I cheated and did only the CVE list, hoping they did their homework ;-). Limiting the list to 7.3+ cut it dow nquite a bit. I'll go through the release notes and see what I can find. Point-releases only should be enough, right? (since they'd be back-patched from HEAD when found). Thanks for your quick review! //Magnus