From: | Simon Riggs <simon(at)2ndquadrant(dot)com> |
---|---|
To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-hackers(at)postgresql(dot)org, Ferindo Middleton <fmiddleton(at)verizon(dot)net>, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept |
Date: | 2005-11-25 18:46:57 |
Message-ID: | 1132944417.2906.23.camel@localhost.localdomain |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs pgsql-hackers pgsql-www |
On Fri, 2005-11-25 at 12:20 -0500, Bruce Momjian wrote:
> Simon Riggs wrote:
> > On Fri, 2005-11-18 at 09:32 -0500, Tom Lane wrote:
> > > All known CVE problems are resolved in 8.0.4.
> >
> > It seems like we need a much clearer resource for security admins to
> > check our compliance levels. This could be a source of similar
> > refusal-to-implement PostgreSQL at other installations, so could almost
> > be regarded as an advocacy issue. Other software projects have been
> > criticized badly for their security response and info dissemination - I
> > don't believe that applies here, but it does indicate the general
> > requirement and its priority. i.e. don't just fix the bugs, tell
> > everyone you've fixed the bugs.
> Well, as the original poster mentioned, they were looking for a reason
> _not_ to use PostgreSQL, and if that is the goal, you can find a reason,
> error numbers or not.
I think that's true, but it should be our goal to remove all excuses so
that people have to face up to the real issues. I see this as advocacy
in many ways.
> I am not excited about referencing error numbers from someone else. We
> know our errors better than anyone else, so I don't see the point.
I think if you don't want to put those on the release notes, thats fine;
we know you're busy. Others have spoken in favour of a web page,
separate from the release notes, and as Tom points out its easier to do
it that way retrospectively anyway.
*We* do know our errors, but thats not the point. CVE is becoming an
accepted standard for referring to security exposures and we should
follow this trend. http://www.cve.mitre.org/about/introduction.html
CVE isn't just somebody else's bugtrack numbers, they're big.
Debian, Gentoo, RedHat, IBM, CA etc already do this.
Unless somebody else wants to do this, I'll discuss on -www how we can
get a page up on the .org site with this info on, so that we can be "CVE
compatible".
Best Regards, Simon Riggs
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2005-11-25 19:18:32 | Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept |
Previous Message | Peter Eisentraut | 2005-11-25 18:37:16 | Re: [HACKERS] BUG #2052: Federal Agency Tech Hub Refuses to Accept |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2005-11-25 19:18:32 | Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept |
Previous Message | Martijn van Oosterhout | 2005-11-25 18:46:45 | Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2005-11-25 19:18:32 | Re: BUG #2052: Federal Agency Tech Hub Refuses to Accept |
Previous Message | Peter Eisentraut | 2005-11-25 18:37:16 | Re: [HACKERS] BUG #2052: Federal Agency Tech Hub Refuses to Accept |