> > > > We really should write the CVE numbers into the commit messages
> > > > and the release notes.
> > >
> > > I think that would be good.
> >
> > That requires the CVE number to be available at the time of commit.
> > Not sure if it'll always be. But if it is, it's certainly a
> good idea
> > to put it in.
>
> I think that depends on who discovers it. CVEs are assigned
> even if it's not clear that the vulnerability is exploitable.
> In anycase, some distributors (like Debian) already track
> CVEs on your behalf. In general they refer to the CVE when
> releasing fixes.
Right. This is exactly why it's good to have a list of our own, so ppl
can cross reference.
> In any case, PostgreSQL already seems to have had 29 CVEs logged:
>
> http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql
Not quite that many. Several of those are not for postgresql at all, but
for third party products *using* postgresql.
//Magnus