> > > > We really should write the CVE numbers into the commit messages > > > > and the release notes. > > > > > > I think that would be good. > > > > That requires the CVE number to be available at the time of commit. > > Not sure if it'll always be. But if it is, it's certainly a > good idea > > to put it in. > > I think that depends on who discovers it. CVEs are assigned > even if it's not clear that the vulnerability is exploitable. > In anycase, some distributors (like Debian) already track > CVEs on your behalf. In general they refer to the CVE when > releasing fixes.
Right. This is exactly why it's good to have a list of our own, so ppl can cross reference. > In any case, PostgreSQL already seems to have had 29 CVEs logged: > > http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql Not quite that many. Several of those are not for postgresql at all, but for third party products *using* postgresql. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
