Hi Bruce,
On Mon, Dec 30, 2024 at 04:58:26PM -0500, Bruce Momjian wrote:
> On Mon, Dec 30, 2024 at 04:50:12PM -0500, Roberto C. Sánchez wrote:
> > On Sat, Dec 14, 2024 at 09:50:23PM -0500, Roberto C. Sánchez wrote:
> > > Greetings pgsql devs,
> > >
> > > I would appreciate a review of my strategy for backporting the commits
> > > related to CVE-2024-10978. (I am working with versions 11, 9.6, and 9.4,
> > > for some older Debian releases.)
> > >
> > > My conclusion is that of the two commits associated with CVE-2024-10978,
> > > both are required in 11 and 9.6, but only one is required in 9.4.
> > >
> > I wonder if someone might be able to look at my original message and
> > help validate my analysis.
>
> I saw your question and was kind of stumped about how to answer. We
> rarely look at back branches for backpatch analysis, so I think we are
> kind of confused on how to answer. Under what circumstances are you
> supported versions of Postgres that we don't support? Is this part of
> Debian policy? Is our five-year insufficient?
>
Do you mean that branches for releases which are EOL are not looked at?
I understand that completely. What I was hoping for here was that
someone who was familiar with the old code might be able to look at my
analysis and either confirm that my conclusion is correct (the behavior
affected by the regression in the first commit was only introduced after
9.4) or not.
I did my best to structure my request in such a way that it would only
entail minimal effort to answer, assuming that it was viewed by someone
who had worked on those parts of the code that far back in the past.
As far as the five year support timeframe, that is amazing and much
more robust than many (most?) projects. Especially considering the size
and pace of development here. We do have a small (paid) team that tries
to support a specific subset of packages going back longer than 5 years.
If my request is not reasonable or somehow inappropriate, then please
consider it withdrawn.
Regards,
-Roberto
--
Roberto C. Sánchez
