Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Simon Riggs <simon(at)2ndquadrant(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org, Ferindo Middleton <fmiddleton(at)verizon(dot)net>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept
Date: 2005-11-25 17:20:23
Message-ID: 200511251720.jAPHKN412761@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers pgsql-www

Simon Riggs wrote:
> On Fri, 2005-11-18 at 09:32 -0500, Tom Lane wrote:
> > All known CVE problems are resolved in 8.0.4.
>
> I was unaware of this. I've looked at the release notes and searched the
> archives, but this doesn't seem to be mentioned by CVE number. (The
> vulnerabilities and their resolutions are described, just without direct
> cross reference to their CVE number.)
>
> Do we have an on-project description of this? If we-as-a-project know
> this, it seems straightforward to write it down.
>
> It seems like we need a much clearer resource for security admins to
> check our compliance levels. This could be a source of similar
> refusal-to-implement PostgreSQL at other installations, so could almost
> be regarded as an advocacy issue. Other software projects have been
> criticized badly for their security response and info dissemination - I
> don't believe that applies here, but it does indicate the general
> requirement and its priority. i.e. don't just fix the bugs, tell
> everyone you've fixed the bugs.
>
> Or, at very least, put stronger security warnings onto the releases. (My
> own advice is always to watch for announcements and stay current).

Well, as the original poster mentioned, they were looking for a reason
_not_ to use PostgreSQL, and if that is the goal, you can find a reason,
error numbers or not.

I am not excited about referencing error numbers from someone else. We
know our errors better than anyone else, so I don't see the point.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Peter Eisentraut 2005-11-25 18:37:16 Re: [HACKERS] BUG #2052: Federal Agency Tech Hub Refuses to Accept
Previous Message Keith Randall 2005-11-25 16:13:55 BUG #2072: CPPFLAGS clobbered

Browse pgsql-hackers by date

  From Date Subject
Next Message Joshua D. Drake 2005-11-25 17:36:34 Re: PL/php in pg_pltemplate
Previous Message Tom Lane 2005-11-25 17:14:24 Re: PL/php in pg_pltemplate

Browse pgsql-www by date

  From Date Subject
Next Message Peter Eisentraut 2005-11-25 18:37:16 Re: [HACKERS] BUG #2052: Federal Agency Tech Hub Refuses to Accept
Previous Message Darcy Buskermolen 2005-11-24 18:16:05 Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept