Skip site navigation (1) Skip section navigation (2)

Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept

From: "Magnus Hagander" <mha(at)sollentuna(dot)net>
To: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>,"Simon Riggs" <simon(at)2ndquadrant(dot)com>
Cc: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>,"Stephen Frost" <sfrost(at)snowman(dot)net>, <pgsql-hackers(at)postgresql(dot)org>,"Ferindo Middleton" <fmiddleton(at)verizon(dot)net>
Subject: Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept
Date: 2005-11-25 18:26:39
Message-ID: 6BCB9D8A16AC4241919521715F4D8BCE92E89C@algol.sollentuna.se (view raw or flat)
Thread:
Lists: pgsql-hackers
> > It seems like we need a much clearer resource for security 
> admins to 
> > check our compliance levels. This could be a source of similar 
> > refusal-to-implement PostgreSQL at other installations, so could 
> > almost be regarded as an advocacy issue. Other software 
> projects have 
> > been criticized badly for their security response and info 
> > dissemination - I don't believe that applies here, but it does 
> > indicate the general requirement and its priority. i.e. 
> don't just fix 
> > the bugs, tell everyone you've fixed the bugs.
> > 
> > Or, at very least, put stronger security warnings onto the 
> releases. 
> > (My own advice is always to watch for announcements and 
> stay current).
> 
> Well, as the original poster mentioned, they were looking for 
> a reason _not_ to use PostgreSQL, and if that is the goal, 
> you can find a reason, error numbers or not.

Sure - but it can be used as a good tool to prove such a person *wrong*.
Because it's an easy to find place.


> I am not excited about referencing error numbers from someone 
> else.  We know our errors better than anyone else, so I don't 
> see the point.

Point 1: Where do you go today to find a list of fixed security issues
in PostgreSQL, and where they are fixed? There is no central list of
this. This is the important point - to create such a list. (IMHO, of
course)


Point 2: CVE is pretty much the industry standard for naming
vulnerabilities. This is what people *use*. There's no reason *not* to
provide it as a cross reference. But sure, we shouldn't list only the
ones that have CVE numbers - if there are any that doesn't, they should
be listed as well. If you read up on CVE you will find that their only
function is to provide a common way to refer to a vulnerability, no
matter who talks about it, without any risk to get it wrong.



//Magnus

Responses

pgsql-hackers by date

Next:From: Peter EisentrautDate: 2005-11-25 18:28:10
Subject: Re: PL/php in pg_pltemplate
Previous:From: Gustavo ToniniDate: 2005-11-25 18:24:10
Subject: Doubt

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group