Thread: Extra security measures for next week's releases

Extra security measures for next week's releases

From
Tom Lane
Date:
The core committee has decided that one of the security issues due to be
fixed next week is sufficiently bad that we need to take extra measures
to prevent it from becoming public before packages containing the fix
are available.  (This is a scenario we've discussed before, but never
had to actually implement.)

What we intend to do is shut off updates from the master git repo to
the anonymous-git mirror, and to github, from Monday afternoon until
Thursday morning.  Commit-log emails to pgsql-committers will also be
held for this period.  This will prevent the commits that fix and
document the bug from becoming visible to anyone except Postgres
committers.  Updates will resume as soon as the release announcement
is made.

Although committers will still be able to work normally, we realize
that this is likely to be a handicap for non-committers; and it will
also mean that buildfarm runs will not test any new commits until the
mirrors are allowed to update.  We do not intend to start doing this
as a routine thing, and apologize in advance for any disruption.
It seems necessary in this instance, however.
        regards, tom lane



Re: Extra security measures for next week's releases

From
roadrunner6@gmx.at
Date:
Am 28.03.2013 18:03, schrieb Tom Lane:
> The core committee has decided that one of the security issues due to be
> fixed next week is sufficiently bad that we need to take extra measures
> to prevent it from becoming public before packages containing the fix
> are available.  (This is a scenario we've discussed before, but never
> had to actually implement.)
>

8.3 has reached EOL in February 2013, I guess there will be no fix for 
8.3, right?





Re: Extra security measures for next week's releases

From
Magnus Hagander
Date:
On Wed, Apr 3, 2013 at 12:09 PM,  <roadrunner6@gmx.at> wrote:
> Am 28.03.2013 18:03, schrieb Tom Lane:
>
>> The core committee has decided that one of the security issues due to be
>> fixed next week is sufficiently bad that we need to take extra measures
>> to prevent it from becoming public before packages containing the fix
>> are available.  (This is a scenario we've discussed before, but never
>> had to actually implement.)
>>
>
> 8.3 has reached EOL in February 2013, I guess there will be no fix for 8.3,
> right?

That is correct.

Some distributions may backpatch fixes manually, but there will be no
official patch for 8.3.


-- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/