Re: Purge obsolete security updates?

Josh Berkus <josh@agliodbs.com> writes:
> ... currently has security patch information going back to 2004.  I'd
> like to cut everything which only applies through version 8.0 as
> obsolete.  This would mean cutting all notices starting with
> CVE-2006-0678.

> Further, I'd like to make a general policy that we cut security
> information from this page a year after the last referenced version goes
> EOL (e.g. we'd delete CVE-2006-5542 this November).

-1 on both.  The fact that we're not releasing new updates for old
versions is miles away from suppressing information about them.
Furthermore, having those notices up there might help to spur people to
update off those versions, which is what we really want.  If we remove
all the old notices it is likely to leave the impression "hey, 7.4 is
much more bug-free than the newer versions, so I should stay on it".

If anything, I'd like to see us *add* the older versions to the newer
notices when relevant.  We want people to realize that these holes exist
and are unfixed in old branches, not think they're secure.
        regards, tom lane