Jan Wieck wrote:
On 1/30/2005 10:18 AM, Peter Eisentraut wrote:
Dawid Kuroczko wrote:
I think it is in good taste that when you find a bug/vulnerability/etc first you contact the author (in this case: core), leave them some time to fix the problem and then go on announcing it to the world.
In this case, core is not the author of the object in question. And of course, to report a "bug/vulnerability/etc" you would write to pgsql-bugs, not core.
No, Peter.
Posting a vulnerability on a public mailing list "before" there is a known fix for it means that you put everyone who has that vulnerability into jeopardy. Vulnerabilities are a special breed of bugs and need to be exterminated a little different.
Jan
ain't that the truth.
if a vulnerability is found, try to find a fix, or work around, post it privately to the developer, give them an opportunity to get it fixed before going public.
when dealing with open souurce, this system works great.
when dealing with proprietary / closed source [ specifically microsoft ]
expect that it's the public announcement that's going to start them doing something about it.
I personally would only give ms a week at most to fix the problem before going public.
since open source if usually fixed in that time frame.
Jaqui
---------------------------(end of broadcast)--------------------------- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match