On Wed, Nov 20, 2024 at 7:18 PM Bruce Momjian <bruce@momjian.us> wrote:
so when we decided to remove the downloads
Can you elaborate on who "we" is here?
I don't recall this event happening.
I suppose "encouraging people to wait" is arguably a bad position to take compared to directing them to a page on our wiki where the risk factors are laid out so they can make an informed decision based upon their situation. But that seems like a person-to-person matter and not something the project can take responsibility for or control. So, "immediately create a wiki page when PR-level problems arise" could be added to the "could have done better" list, so people have a URL to send instead of off-the-cuff advice.
Obviously "alter role set role" is a quite common usage in our community yet we lack any regression or tap tests exercising it. That we could have done better and caught the bug in the CVE fix.
If the CVEs do have mitigations available those should probably be noted even if we expect people to apply the minor updates that remove the vulnerability. If we didn't reason through and write out such mitigations for any of these 4 that would be something to consider going forward.
