On Sun, 2005-11-27 at 13:46 +0100, Magnus Hagander wrote:
> Per some discussion last week, I've put together a page with security
> information. Basically an introduction written by Simon and a table I
> pulled together by going through the CVE list and matching it up with
> our cvs versions.
>
> As it makes some statements on behalf of the beleifs of the PGDG (the
> introduction), I'm giving everybody a good chance to complain and
> correct before it goes onto the actual website. Oh, and please also
> point out any incorrectness or missing information in the actual
> table...
>
> The link for the in progress version is
> http://magnus-master.pgadmin.org/support/security.
>
Some background to the statements made is probably required also.
We touched briefly upon what CVE is in various other posts on hackers.
The main CVE website is http://www.cve.mitre.org/
Maintaining CVE-compatible status is likely to be fairly important for
security risk management. It will also raise the profile of PostgreSQL
as secure software since CVE will list this project on their
compatibility page.
There are some basic requirements of CVE compatibility:
http://www.cve.mitre.org/compatible/ which are described in even more
detail here
http://www.cve.mitre.org/compatible/requirements.html
The link to CVE and the statement of support for CVE are part of those
requirements. Those are modelled after the Debian Security Information
page at http://www.us.debian.org/security/. That has nothing to do with
whether I am or am not a Debian supporter, its just a guide as to how we
might make statements to claim CVE-compatibility.
I'm happy to be the coordinator for CVE compatibility and fill out the
forms to apply for the external review. I'd also be happy if another
would like to claim this task.
Best Regards, Simon Riggs