On Mon, Dec 30, 2024 at 04:58:26PM -0500, Bruce Momjian wrote: > I saw your question and was kind of stumped about how to answer. We > rarely look at back branches for backpatch analysis, so I think we are > kind of confused on how to answer. Under what circumstances are you > supported versions of Postgres that we don't support? Is this part of > Debian policy?
So am I (I'd say that you are on your own for this one, still..). It is the first time I hear about that on the lists, but perhaps Christoph Berg would know better? Adding him in CC for comments. Applying patches to older branches is a speciality in itself, and requires a lot of work and analysis (not planning to do that here for this specific CVE). The good thing is that 5a2fed911a85 has some regression tests, so you could be more confident that what you are doing is rather right. Now the code in this area has changed slightly because of the introduction of parallel workers in 9.6, so that could be tricky. I'd suggest to *not* bypass the work across multiple branches at once as it can help in dealing with conflicts in a more granular way, even if it may increase the analysis burden quite a bit. While on it, note also 73c9f91a1b6d by the way, which is a follow up of 5a2fed911a85 for CVE-2024-10978 related to parallel workers, it would not apply to 9.4, for sure. > Is our five-year insufficient? FWIW, I'm already on the side that five-year support is quite good and I'd side with not extending that, even argue about reducing it (anti-tomato armor is now on). Backporting patches across up to 7 branches can be really tedious depending on what you are dealing with in the backend. -- Michael
signature.asc
Description: PGP signature
