Dawid Kuroczko <qnex42@xxxxxxxxx> writes: > > Why only -core? > > I think it is in good taste that when you find a bug/vulnerability/etc > first you contact the author (in this case: core), leave them some > time to fix the problem and then go on announcing it to the > world. > > I think it is perfectly reasonable! In case there are some that are not aware, this is a matter of some controversy. Many people believe it better to disclose vulnerabilities publicly. There are always ways for a sysadmin to close the vulnerability, even if it means temporarily limiting access until the fix is available. How would you like to be a sysadmin that finds his system exploited only to discover that the vulnerability was known and he could have worked around it had he been informed but those in the know kept it secret until a patch was published. The only way keeping it secret is really justified is if a) You know no malicious persons are aware of the vulnerability (which of course one never really knows for certain) b) it's more reasonable for a sysadmin to run with the vulnerability than to work around it using whatever means necessary (and you feel comfortable making that decision for every sysadmin everywhere). There are certainly others that disagree but I think history shows that when vulnerabilities are disclosed in full sysadmins can react more effectively and vendors release fixes faster and the net result is fewer compromises and better software. Of course in this case the argument that Postgres would have responded quicker had the vulnerability been known is almost certainly baseless. And it may turn out to be the case that there were no compromises because not a single malicious user knew about the hole. It doesn't always work out that way though. -- greg ---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings
