| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | <pgsql-www(at)postgresql(dot)org>, "Simon Riggs" <simon(at)2ndquadrant(dot)com> |
| Subject: | Re: Security information page |
| Date: | 2005-11-27 20:52:37 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE92E8B0@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
> > Per some discussion last week, I've put together a page
> with security
> > information. Basically an introduction written by Simon and
> a table I
> > pulled together by going through the CVE list and matching
> it up with
> > our cvs versions.
>
> : All security issues are always fixed in the next major release, when
> : it comes out.
>
> Perhaps "all known security issues..." The statement as made
> is hopelessly hubristic.
Typo. Thanks. Certainly didn't intend it as anything else than all
*known*.
> Please remove the statements about how we will respond within
> X hours or days. That has nothing to do with reality.
> (Reality is that we are often constrained by CVE publication
> dates if the fix is trivial, and if it isn't trivial then it
> won't be fixed instantly anyway.) I'd lose the whole
> paragraph beginning "PGDG's aim ..."
Ok. I'll zap it. I guess it can be read as a promise, which it really
isn't. "Marketing info" about the speed of patching probably belongs on
a different page.
> I think the bit about "Our goal is to gain and maintain
> CVE-compatible status" is bogus. As near as I can tell,
> Mitre's definition of CVE compatibility applies to security
> products (eg, vulnerability scanners) which Postgres is not.
Um. Not really - products like Debian are CVE compatible
(http://www.us.debian.org/security/cve-compatibility), so it's not just
for security products.
> You could maybe say that this one web page is something that
> could apply for CVE compatibility status, but are we going to
> jump through those hoops for one web page? Nyet.
Right. I'll take that off until such a time as we're further along that
process (see Simons mails).
Looks better now?
> The list seems a bit short; did you look through the release
> notes for items that seem to be security issues? I suspect
> there are some that don't have CVE names.
No, I cheated and did only the CVE list, hoping they did their homework
;-). Limiting the list to 7.3+ cut it dow nquite a bit.
I'll go through the release notes and see what I can find.
Point-releases only should be enough, right? (since they'd be
back-patched from HEAD when found).
Thanks for your quick review!
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Neil Conway | 2005-11-27 22:35:54 | Re: Security information page |
| Previous Message | Dave Page | 2005-11-27 20:38:04 | svr2/unionfs |