Simon Riggs wrote: > On Fri, 2005-11-18 at 09:32 -0500, Tom Lane wrote: > > All known CVE problems are resolved in 8.0.4. > > I was unaware of this. I've looked at the release notes and searched the > archives, but this doesn't seem to be mentioned by CVE number. (The > vulnerabilities and their resolutions are described, just without direct > cross reference to their CVE number.) > > Do we have an on-project description of this? If we-as-a-project know > this, it seems straightforward to write it down. > > It seems like we need a much clearer resource for security admins to > check our compliance levels. This could be a source of similar > refusal-to-implement PostgreSQL at other installations, so could almost > be regarded as an advocacy issue. Other software projects have been > criticized badly for their security response and info dissemination - I > don't believe that applies here, but it does indicate the general > requirement and its priority. i.e. don't just fix the bugs, tell > everyone you've fixed the bugs. > > Or, at very least, put stronger security warnings onto the releases. (My > own advice is always to watch for announcements and stay current).
Well, as the original poster mentioned, they were looking for a reason _not_ to use PostgreSQL, and if that is the goal, you can find a reason, error numbers or not. I am not excited about referencing error numbers from someone else. We know our errors better than anyone else, so I don't see the point. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073 ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org