Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept

From: "Magnus Hagander" <mha(at)sollentuna(dot)net>
To: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>, "Simon Riggs" <simon(at)2ndquadrant(dot)com>
Cc: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Stephen Frost" <sfrost(at)snowman(dot)net>, <pgsql-hackers(at)postgresql(dot)org>, "Ferindo Middleton" <fmiddleton(at)verizon(dot)net>
Subject: Re: [BUGS] BUG #2052: Federal Agency Tech Hub Refuses to Accept
Date: 2005-11-25 18:26:39
Message-ID: 6BCB9D8A16AC4241919521715F4D8BCE92E89C@algol.sollentuna.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> > It seems like we need a much clearer resource for security
> admins to
> > check our compliance levels. This could be a source of similar
> > refusal-to-implement PostgreSQL at other installations, so could
> > almost be regarded as an advocacy issue. Other software
> projects have
> > been criticized badly for their security response and info
> > dissemination - I don't believe that applies here, but it does
> > indicate the general requirement and its priority. i.e.
> don't just fix
> > the bugs, tell everyone you've fixed the bugs.
> >
> > Or, at very least, put stronger security warnings onto the
> releases.
> > (My own advice is always to watch for announcements and
> stay current).
>
> Well, as the original poster mentioned, they were looking for
> a reason _not_ to use PostgreSQL, and if that is the goal,
> you can find a reason, error numbers or not.

Sure - but it can be used as a good tool to prove such a person *wrong*.
Because it's an easy to find place.

> I am not excited about referencing error numbers from someone
> else. We know our errors better than anyone else, so I don't
> see the point.

Point 1: Where do you go today to find a list of fixed security issues
in PostgreSQL, and where they are fixed? There is no central list of
this. This is the important point - to create such a list. (IMHO, of
course)

Point 2: CVE is pretty much the industry standard for naming
vulnerabilities. This is what people *use*. There's no reason *not* to
provide it as a cross reference. But sure, we shouldn't list only the
ones that have CVE numbers - if there are any that doesn't, they should
be listed as well. If you read up on CVE you will find that their only
function is to provide a common way to refer to a vulnerability, no
matter who talks about it, without any risk to get it wrong.

//Magnus

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2005-11-25 18:28:10 Re: PL/php in pg_pltemplate
Previous Message Gustavo Tonini 2005-11-25 18:24:10 Doubt