Skip site navigation (1) Skip section navigation (2)

Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Simon Riggs <simon(at)2ndquadrant(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org, Ferindo Middleton <fmiddleton(at)verizon(dot)net>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept
Date: 2005-11-25 17:20:23
Message-ID: 200511251720.jAPHKN412761@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-hackerspgsql-www
Simon Riggs wrote:
> On Fri, 2005-11-18 at 09:32 -0500, Tom Lane wrote: 
> > All known CVE problems are resolved in 8.0.4.
> 
> I was unaware of this. I've looked at the release notes and searched the
> archives, but this doesn't seem to be mentioned by CVE number. (The
> vulnerabilities and their resolutions are described, just without direct
> cross reference to their CVE number.)
> 
> Do we have an on-project description of this? If we-as-a-project know
> this, it seems straightforward to write it down.
> 
> It seems like we need a much clearer resource for security admins to
> check our compliance levels. This could be a source of similar
> refusal-to-implement PostgreSQL at other installations, so could almost
> be regarded as an advocacy issue. Other software projects have been
> criticized badly for their security response and info dissemination - I
> don't believe that applies here, but it does indicate the general
> requirement and its priority. i.e. don't just fix the bugs, tell
> everyone you've fixed the bugs.
> 
> Or, at very least, put stronger security warnings onto the releases. (My
> own advice is always to watch for announcements and stay current).

Well, as the original poster mentioned, they were looking for a reason
_not_ to use PostgreSQL, and if that is the goal, you can find a reason,
error numbers or not.

I am not excited about referencing error numbers from someone else.  We
know our errors better than anyone else, so I don't see the point.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

Responses

pgsql-hackers by date

Next:From: Joshua D. DrakeDate: 2005-11-25 17:36:34
Subject: Re: PL/php in pg_pltemplate
Previous:From: Tom LaneDate: 2005-11-25 17:14:24
Subject: Re: PL/php in pg_pltemplate

pgsql-bugs by date

Next:From: Peter EisentrautDate: 2005-11-25 18:37:16
Subject: Re: [HACKERS] BUG #2052: Federal Agency Tech Hub Refuses to Accept
Previous:From: Keith RandallDate: 2005-11-25 16:13:55
Subject: BUG #2072: CPPFLAGS clobbered

pgsql-www by date

Next:From: Peter EisentrautDate: 2005-11-25 18:37:16
Subject: Re: [HACKERS] BUG #2052: Federal Agency Tech Hub Refuses to Accept
Previous:From: Darcy BuskermolenDate: 2005-11-24 18:16:05
Subject: Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group