| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: IMPORTANT: Out-of-cycle release scheduled for November 21, 2024 |
| Date: | 2024-11-21 02:40:36 |
| Message-ID: | CAKFQuwag2F-WwY9yHHQB2_tL2wRNftYaY5bDj86jQ8F302qnLA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Nov 20, 2024 at 7:18 PM Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> so when we decided to remove the downloads
Can you elaborate on who "we" is here?
I don't recall this event happening.
I suppose "encouraging people to wait" is arguably a bad position to take
compared to directing them to a page on our wiki where the risk factors are
laid out so they can make an informed decision based upon their situation.
But that seems like a person-to-person matter and not something the project
can take responsibility for or control. So, "immediately create a wiki
page when PR-level problems arise" could be added to the "could have done
better" list, so people have a URL to send instead of off-the-cuff advice.
Obviously "alter role set role" is a quite common usage in our community
yet we lack any regression or tap tests exercising it. That we could have
done better and caught the bug in the CVE fix.
If the CVEs do have mitigations available those should probably be noted
even if we expect people to apply the minor updates that remove
the vulnerability. If we didn't reason through and write out such
mitigations for any of these 4 that would be something to consider going
forward.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2024-11-21 02:48:43 | Re: IMPORTANT: Out-of-cycle release scheduled for November 21, 2024 |
| Previous Message | jian he | 2024-11-21 02:24:31 | Re: Document NULL |