Hi Josh,
On Apr 3, 2013, at 12:57 AM, Josh Berkus wrote:
> Jonathan,
>
>> Here is a wiki I through together combining elements of both our
>> current security page and thoughts from the Django one:
>
> Thanks for getting this started! I've revised it heavily.
Thanks for working on it - it looks very good overall.
My one question regarding policy is related to distribution. I do agree with the evaluation criteria for choosing
distributors,but my question pertains to entities that could be classified as "critical infrastructure" that use
Postgres,e.g. utilities, hospitals, etc. Though it is still up to the management of those entities to handle the
upgrades,I think it would be in their best interests to have a critical security fix available to them so they have
thatopportunity before it goes live.
I also presume that these organizations receive their releases from distributors - so if we were to enable such
organizationsto also receive an early release, what would the policy be?
>> One suggestion (not in the draft) is that when we do make release
>> announcements containing security fixes, we do include the URL to our
>> security policy to make it clear what it is.
>
> Actually, we usually do provide a link.
I've looked through the news announcements to the last few releases. There are links to the versioning policy and if
thereis a CVE a link to the CVE listing site itself, but nothing pointing to our security policy. I strongly suggest
weadd that link to our template (don't know where that exists) and make sure it's in any future email pertaining to a
securityannouncement and/or release.
Jonathan
