Re: CVE Links are broken on the PG 10.1 news page

On Fri, Nov 10, 2017 at 5:55 PM, Jonathan S. Katz <jkatz(at)postgresql(dot)org>
wrote:

>
> > On Nov 10, 2017, at 11:32 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >
> > Magnus Hagander <magnus(at)hagander(dot)net> writes:
> >> On Fri, Nov 10, 2017 at 2:56 PM, Daniel Gustafsson <daniel(at)yesql(dot)se>
> wrote:
> >>> On 10 Nov 2017, at 12:14, Damien Clochard <damien(at)dalibo(dot)info> wrote:
> >>>> The 3 CVE links lead to a 404 page on RH website :
> >>>> https://access.redhat.com/security/cve/CVE-2017-12172
> >>>> https://access.redhat.com/security/cve/CVE-2017-15098
> >>>> https://access.redhat.com/security/cve/CVE-2017-15099
> >
> >>> Even better would probably be to not make them actual links until the
> >>> target URL exists.
> >
> >> We used to do it that way. Which then meant they usually didn't get
> updated
> >> until the next round of releases, because it got forgotten :/
> >
> > FWIW, I see that -12172 just got de-embargoed. Probably the other two
> > will follow shortly.
>
> Interestingly enough, when I checked post-release yesterday, they were
> available, so they must have been re-embargoed shortly thereafter.
>

I think the right thing to do here will materialize itself once I have
finished off the branch which databaseifies the list. When we've reached
that point we can have a cronjob that pings the redhat urls and turns it
into a link only once they stop returning 404.

Until then I think we're best off just keeping it the way it is now.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>