On 4/24/19 8:09 AM, Patil, Prashant wrote:
Thanks Tom. So since security patches is not release separately, they are part
of minor releases. Is this correct statement?
Yes. See below for the reasoning and schedule:
https://www.postgresql.org/support/versioning/
https://www.postgresql.org/developer/roadmap/
If they are part minor releases, we need to download source code for that
release and perform upgrade and while performing upgrade, we can point install
directories to our custom data/config directories RIGHT?
Regards,
Prashant
-----Original Message-----
From: Tom Lane <t...@sss.pgh.pa.us>
Sent: Wednesday, April 24, 2019 10:58 AM
To: Adrian Klaver <adrian.kla...@aklaver.com>
Cc: Patil, Prashant <prashant.pa...@crowncastle.com>;
pgsql-general@lists.postgresql.org
Subject: Re: Postgres Security Patches Question
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
[ removing security list, since this is not a security bug report ]
Adrian Klaver <adrian.kla...@aklaver.com> writes:
On 4/24/19 7:30 AM, Patil, Prashant wrote:
... If there is any security patch that need to apply on postgres
database in future, 1. Would security patch available in form of
source code/zip file OR do we have to apply it using rpm? 2. If rpm,
would it be possible to install security patch on postgres custom
directories through RPM? 3. Any caveat that we need to aware about?
AFAIK the patches are not released separately. In your case you would
need to download the new patched complete source and rebuild it.
We do not release security patches separately, and are not interested in doing
so. Two points you might wish to consider:
* Security patches are not tested standalone, only on top of the complete
patch-series-to-date. There's no certainty they'd even apply to an earlier
snapshot, let alone work as intended.
* For most database installations, data-loss-risk bugs are at least as important as
"security" bugs, maybe more so. The vast majority of the things we label security bugs
are privilege escalation problems accessible to someone who is already able to log into the
database and execute arbitrary SQL. But few installations have untrusted users connecting directly
to the database, so these sorts of bug fixes are really just limiting the possible effects of any
security loopholes (e.g. SQL-injection bugs) you may have in your applications. Which is a good
thing surely, but it pales compared to "this bug might corrupt all your data".
The PG community's recommendation is that you install new minor releases in toto.
Anybody who thinks it's better to just cherry-pick "security"
patches doesn't understand the realities of database work.
regards, tom lane
This email may contain confidential or privileged material. Use or disclosure
of it by anyone other than the recipient is unauthorized. If you are not an
intended recipient, please delete this email.
--
Adrian Klaver
adrian.kla...@aklaver.com
