Re: Security information page
| От | Magnus Hagander |
|---|---|
| Тема | Re: Security information page |
| Дата | |
| Msg-id | 6BCB9D8A16AC4241919521715F4D8BCE92E8B0@algol.sollentuna.se обсуждение исходный текст |
| Ответ на | Security information page ("Magnus Hagander" <mha@sollentuna.net>) |
| Ответы |
Re: Security information page
|
| Список | pgsql-www |
> > Per some discussion last week, I've put together a page > with security > > information. Basically an introduction written by Simon and > a table I > > pulled together by going through the CVE list and matching > it up with > > our cvs versions. > > : All security issues are always fixed in the next major release, when > : it comes out. > > Perhaps "all known security issues..." The statement as made > is hopelessly hubristic. Typo. Thanks. Certainly didn't intend it as anything else than all *known*. > Please remove the statements about how we will respond within > X hours or days. That has nothing to do with reality. > (Reality is that we are often constrained by CVE publication > dates if the fix is trivial, and if it isn't trivial then it > won't be fixed instantly anyway.) I'd lose the whole > paragraph beginning "PGDG's aim ..." Ok. I'll zap it. I guess it can be read as a promise, which it really isn't. "Marketing info" about the speed of patching probably belongs on a different page. > I think the bit about "Our goal is to gain and maintain > CVE-compatible status" is bogus. As near as I can tell, > Mitre's definition of CVE compatibility applies to security > products (eg, vulnerability scanners) which Postgres is not. Um. Not really - products like Debian are CVE compatible (http://www.us.debian.org/security/cve-compatibility), so it's not just for security products. > You could maybe say that this one web page is something that > could apply for CVE compatibility status, but are we going to > jump through those hoops for one web page? Nyet. Right. I'll take that off until such a time as we're further along that process (see Simons mails). Looks better now? > The list seems a bit short; did you look through the release > notes for items that seem to be security issues? I suspect > there are some that don't have CVE names. No, I cheated and did only the CVE list, hoping they did their homework ;-). Limiting the list to 7.3+ cut it dow nquite a bit. I'll go through the release notes and see what I can find. Point-releases only should be enough, right? (since they'd be back-patched from HEAD when found). Thanks for your quick review! //Magnus
В списке pgsql-www по дате отправления: