Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

Hi Selena, Hi all !


Le lundi 15 avril 2013 à 08:39 -0700, Selena Deckelmann a écrit :
> Hi!
>
>
> On Mon, Apr 15, 2013 at 12:42 AM, Jean-Paul Argudo
> <jean-paul@postgres.fr> wrote:
>
>         To me the only way to do is give the access to all at the same
>         time,
>         despite all the problems that may occurs. Yes, it's the "hard
>         way", but
>         it's the only one leading to the equalty we want.
>
>
> PostgreSQL is written and maintained by a 6-member core team, a group
> of about 20 committers, and somewhere between 300-400 developers who
> send in code each year.  Plus many other volunteers who run
> conferences, meetups and participate in mailing lists like this one.

Thanks for this summary.

> From a security standpoint, the decisions made should weigh:

Let me comment this:

> * Risk to the general public
> * Risk to the *known* users of PostgreSQL

Why do you make a difference between the general public (unknown users,
that's what you mean?) and "known" users. Known by who?

Why is this distinction important in your eyes?

What kind of consequences would happen if we keep this distinction?

> * Risk to our core committers, developers and volunteers

What kind of risk? Is this statement a general purpose? Does it apply to
the code generally or just to a security patch?

> * Risk to the survival of the open source project

I don't fear anything here. I trust us to not do things that may result
in this kind of risk.

> and:
> * Do we have a good patch for the problem?
> * Are there possible workarounds without patching?

On those two statements I doubt we lack anything. This community has
probably the best coders I know of. I trust them completely to find
workarounds, patches on any bugs found, etc.

> What is "fair" in that context is not the same thing as "treating
> everyone equally".

So as Dimitri stated, you're more happy with "equity" than "equality".
So I am in the real life too, but I think than finding a solution that
fits all to our problem here is an illusion.

If PaaS users are upgraded before others, whatever the reasons are, this
will lead in another mail thread like this one.

I also think it will be a nightmare to write down something simple and
understandable by all.

> Personally, I do not agree that "equality is what we want" in the
> context of managing security vulnerability disclosure.

If you're talking strictly about how to manage security vulnerability
disclosure, then I agree.

On this point, -core did well to me.

> We are open source, so eventually everyone will have access to patches
> to security vulnerabilities.

Sure.

> However, it's important to use well-understood risk mitigation
> techniques in deciding how to share information about
> vulnerabilities.

Agreed.

> Despite how the disclosure and communication made contributors to this
> thread *feel*, the consensus from security experts that I talked to
> was: PGDG handled this security issue well. We also drew enough
> attention that it *appears* that many of our users upgraded or took
> mitigation action - with minimal compromise exposure after we fully
> > disclosed the bug.

Yeah, I agree too there.

> And now, -core is working to change our security policy to better
> address the concerns of PaaS and security-sensitive users.

My point is that all users should be considered the same, once again.

Since one can't decide between which one's data is more important than
another one's, we won't be able to define what's a "security-sensitive
user".

> To be clear:
> I want users and their data to be as safe as we can keep them.  And I
> want security disclosures to be transparent, well-communicated and
> fairly carried out, using a policy that -core produces.

I could suggest we can help in producing that policy, that -core would
approve. But OK. Let's wait.

> -selena

Thanks for your time.

> --
> http://chesnok.com


--
Jean-Paul Argudo
www.PostgreSQL.fr
www.Dalibo.com