On Fri, Aug 17, 2018 at 4:39 AM, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Aug 16, 2018 at 09:25:36AM -0700, Andres Freund wrote: > On 2018-08-16 16:32:00 +0100, Justin Clift wrote: > > On 2018-08-16 16:25, Andres Freund wrote: > > > FWIW, I find this pretty damning given that there's been new security > > > release for a week: You've added no notes about it to the bigsql > > > download page. Pinged nobody, to get the downloadlinks temporarily > > > adorned with a warning on the pg site. And then there's the issue that > > > the dates besides the releases on the download page are referencing the > > > date of the newest set of minor releases, but aren't actually new. > > > > > > This is ridiculously intransparent. > > > > Is it fairly simple for us to just comment out/remove the links for now? > > > > We don't want to be pointing people to software with known security issues. > > > > We can put the links back in when the updated downloads are in place. :) > > Probably don't want to remove them entirely, it might prevent people > from upgrading from an even older release with more serious issues. But > a red warning seems appropriate.
Agreed. We need to do something _now_, and the fact that we are having to discover this instead of OpenSCG telling us is a good reason to suspect the use of this download site in the future.
Looking at their website now, does it show they now have the proper binaries?