Neil Conway <neilc@samurai.com> writes:
> While we can modify the regression tests to catch this specific problem
> in the future, I wonder if there ought to be more testing of security
> releases in the future. When a problem is reported, fixed, tested, and
> the resulting security fix is publicly distributed all without public
> discussion (e.g. on the -hackers list), that sounds like an invitation
> to introduce regressions to me.
No doubt about it, but what else do you propose? This patch was
reviewed by several people, none of whom caught the problem. (Not that
I want to blame them, it was certainly my bug.) And we normally don't
have indefinite amounts of time to spend before responding. With
limited eyes and limited time you're going to have a greater chance of
screw-up; but unless we are willing to flout the conventional wisdom
about keeping security-related bugs secret, I think that's just
something that's got to be lived with.
regards, tom lane