> -----Original Message-----
> From: Neil Conway [mailto:neilc@samurai.com]
> Sent: Tuesday, August 20, 2002 1:44 PM
> To: Vince Vielhaber
> Cc: pgsql-hackers@postgreSQL.org
> Subject: Re: [HACKERS] @(#)Mordred Labs advisory 0x0003:
> Buffer overflow in PostgreSQL (fwd)
>
>
> Vince Vielhaber <vev@michvhf.com> writes:
> > Here's yet another.
>
> Should someone from the core team perhaps get in contact with
> this guy and ask if he could get in contact with the
> development team before publicizing any further security
> holes? AFAIK that is standard operating procedure in most cases...
As long as we continue to find out about them, I would just let him work
away.
He is clearly an excellent tester, and if you had to hire him it would
be very expensive.
As long as he is producing results of such great value, I think it is
wonderful.
> Second, it might be worth pushing a 7.2.2 release containing
> the fix for this bug, as well as the datetime problem. If
> that sounds reasonable to the people who have to do the most
> work on a new release (e.g. Marc), I can volunteer to
> backport a fix for the datetime problem.
Bugs that cause a catastrophic error (e.g. "crash" of the database
engine, causing loss of data) should have the highest priority. Call
them category zero.
Bugs that cause incorrect results should have the next highest priority.
Call them category one.
Bugs that are minor annoyances (e.g. "appearance" such as a misspelled
word in a help file) should be low priority.
Bugs that are only suggestions for improvements should have the lowest
priority.
All known category zero and one bugs should be fixed before each and
every new release. IMO-YMMV.