| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Rod Taylor <rbt(at)zort(dot)ca> |
| Cc: | Justin Clift <justin(at)postgresql(dot)org>, Robert Treat <xzilla(at)users(dot)sourceforge(dot)net>, Neil Conway <neilc(at)samurai(dot)com>, Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>, Christopher Kings-Lynne <chriskl(at)familyhealth(dot)com(dot)au>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in |
| Date: | 2002-08-21 17:31:26 |
| Message-ID: | 200208211731.g7LHVQg29595@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Good point; please ask him. We have at least on month in beta.
---------------------------------------------------------------------------
Rod Taylor wrote:
> On Wed, 2002-08-21 at 13:13, Bruce Momjian wrote:
> > Justin Clift wrote:
> > > Bruce Momjian wrote:
> > > >
> > > > Justin Clift wrote:
> > > > > Only two things which have the potential to be worth waiting for, from
> > > > > what I'm aware of. There may be others:
> > > > >
> > > > > - Find out from Sir Mordred if he wants to take a look at the CVS
> > > > > version of code and audit in that for a bit, Just In Case he turns
> > > > > up something that's serious and requires substantial re-work.
> > > > > Although it means he wouldn't have a bunch of "I found this existing
> > > > > exploit" type releases, we could instead offer him credit on the
> > > > > press release along the lines of "This released has been audited for
> > > > > security flaws in its code by Sir Mordred". Am pretty sure he'd
> > > > > do a very thorough job for that, as it means he'd have an official
> > > > > "product reputation" he'd need to stand by for it.
> > > >
> > > > This is interesting. He would have a month to do it.
> > >
> > > Reckon it's worth asking him, to find out if he'd be interested in this?
> >
> >
> > I wouldn't do it yet until we know if we are going to delay.
>
> I'd ask anyway. 99% of the issues he finds will be fairly localized.
> Anything truly new (not on TODO already) will probably require a fair
> bit of time to track down, then fix time on top (2 months delay?).
>
> Anyway, these types of discoveries are better in beta than after the
> release and would still warrent a mention if there is a fair amount of
> ground covered.
>
>
> Personally, I'd be more interested in whats safe (covered) than whats
> broken. Posting the successful test cases as some proof rowards
> stability / security of the new release would realize immediate gains in
> settling nervous VPs about the new installation.
>
>
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zeugswetter Andreas SB SD | 2002-08-21 17:39:12 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |
| Previous Message | Tom Lane | 2002-08-21 17:31:01 | Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in |