Re: Security information page

"Magnus Hagander" <mha@sollentuna.net> writes:
> Per some discussion last week, I've put together a page with security
> information. Basically an introduction written by Simon and a table I
> pulled together by going through the CVE list and matching it up with
> our cvs versions.

: All security issues are always fixed in the next major release, when
: it comes out.

Perhaps "all known security issues..."  The statement as made is
hopelessly hubristic.

Please remove the statements about how we will respond within X hours or
days.  That has nothing to do with reality.  (Reality is that we are
often constrained by CVE publication dates if the fix is trivial, and
if it isn't trivial then it won't be fixed instantly anyway.)  I'd lose
the whole paragraph beginning "PGDG's aim ..."

I think the bit about "Our goal is to gain and maintain CVE-compatible
status" is bogus.  As near as I can tell, Mitre's definition of CVE
compatibility applies to security products (eg, vulnerability scanners)
which Postgres is not.  You could maybe say that this one web page is
something that could apply for CVE compatibility status, but are we
going to jump through those hoops for one web page?  Nyet.

The list seems a bit short; did you look through the release notes for
items that seem to be security issues?  I suspect there are some that
don't have CVE names.

            regards, tom lane