Greg Stark <gsstark@mit.edu> writes:
> Shachar Shemesh <psql@shemesh.biz> writes:
>> Also, if we want greater flexibility in handling these cases in the future, we
>> should set up an invite-only list for reporting security bugs,
> A lot of people would be unhappy with that approach. A) they don't know the
> people on the invite-only list and have no basis to trust them and B) Often
> when a white hat reports the problem the black hats have known about it for
> much longer already.
Past procedure for sensitive bugs has been for people to send reports to
the core committee (pgsql-core at postgresql dot org). If you don't
trust us you probably shouldn't be using Postgres ;-)
As per other comments, I don't find this bug compelling enough to
justify an instant release. Also, the original reporter is still
running his analysis tool and has found some other things that might
be worth patching. (Again, nothing compelling yet... but ...)
I'm inclined to wait a bit longer and see if we can't include some
more fixes in 7.4.3.
regards, tom lane
