> > Per some discussion last week, I've put together a page
> with security
> > information. Basically an introduction written by Simon and
> a table I
> > pulled together by going through the CVE list and matching
> it up with
> > our cvs versions.
>
> : All security issues are always fixed in the next major release, when
> : it comes out.
>
> Perhaps "all known security issues..." The statement as made
> is hopelessly hubristic.
Typo. Thanks. Certainly didn't intend it as anything else than all
*known*.
> Please remove the statements about how we will respond within
> X hours or days. That has nothing to do with reality.
> (Reality is that we are often constrained by CVE publication
> dates if the fix is trivial, and if it isn't trivial then it
> won't be fixed instantly anyway.) I'd lose the whole
> paragraph beginning "PGDG's aim ..."
Ok. I'll zap it. I guess it can be read as a promise, which it really
isn't. "Marketing info" about the speed of patching probably belongs on
a different page.
> I think the bit about "Our goal is to gain and maintain
> CVE-compatible status" is bogus. As near as I can tell,
> Mitre's definition of CVE compatibility applies to security
> products (eg, vulnerability scanners) which Postgres is not.
Um. Not really - products like Debian are CVE compatible
(http://www.us.debian.org/security/cve-compatibility), so it's not just
for security products.
> You could maybe say that this one web page is something that
> could apply for CVE compatibility status, but are we going to
> jump through those hoops for one web page? Nyet.
Right. I'll take that off until such a time as we're further along that
process (see Simons mails).
Looks better now?
> The list seems a bit short; did you look through the release
> notes for items that seem to be security issues? I suspect
> there are some that don't have CVE names.
No, I cheated and did only the CVE list, hoping they did their homework
;-). Limiting the list to 7.3+ cut it dow nquite a bit.
I'll go through the release notes and see what I can find.
Point-releases only should be enough, right? (since they'd be
back-patched from HEAD when found).
Thanks for your quick review!
//Magnus