Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

From Andres Freund
Subject Re: Heroku early upgrade is raising serious questions
Date
Msg-id 20130409175024.GA9959@awork2.anarazel.de
Whole thread Raw
In response to Re: Heroku early upgrade is raising serious questions  ("Jonathan S. Katz" <jonathan.katz@excoventures.com>)
List pgsql-advocacy
On 2013-04-09 13:46:43 -0400, Jonathan S. Katz wrote:
> On Apr 9, 2013, at 1:41 PM, Andres Freund wrote:
>
> > On 2013-04-09 13:14:18 -0400, Stephen Frost wrote:
> >> * Andres Freund (andres@2ndquadrant.com) wrote:
> >>> On 2013-04-09 12:29:37 -0400, Stephen Frost wrote:
> >>>> Then perhaps I'm missing something, but what's the point in getting the
> >>>> update if you can't actually apply it until everyone (including the bad
> >>>> guys) know about it?  Particularly when applying it is going to take a
> >>>> whole lot more time than it takes for the bad guys to probe your systems
> >>>> and figure out which aren't patched yet...
> >>>
> >>> Patching, packaging and verifying that the package works takes time,
> >>> especially if you run a modified version of postgres.
> >>
> >> I agree with that.  For individuals who are primairly responsible for
> >> providing packages getting access early to do those tasks is great.
> >>
> >> That does not address the large-scale deployments where upgrades also
> >> take a very signifigant amount of time.  If we are to provide them with
> >> the information ahead of the release, as they are trusted, I do not
> >> believe it makes any sense to prevent them from upgrading their systems
> >> until the information is out in the open.
> >
> > Installing the packages somewhere where far more people have a chance to
> > gain access to reduces the likelihood that somebody figures out where
> > the vulnerability is noticeably. Figuring out which parts of a binary
> > have changed is easy enough, even if its stripped.
> >
> > Also, it changes how privileged the people that get access to the
> > vulnerability are. If they are allowed to install at the same time as
> > everyone else its somewhat fair game, otherwise there will be people
> > making a marketing distinction out of their privileged access.
>
> Well, part of the policy of getting early access should be "do not publicize that you have early access" - that would
eliminateany publicity / marketing advantages an entity could take. 

Things like the heroku downtime notice make that pretty clear
though. They hardly could not announce that they have a downtime though,
so I am not blaming them for that, but its still obvious.

Greetings,

Andres Freund

--
 Andres Freund                       http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services


pgsql-advocacy by date:

Previous
From: "Jonathan S. Katz"
Date:
Subject: Re: Heroku early upgrade is raising serious questions
Next
From: Stephen Frost
Date:
Subject: Re: Heroku early upgrade is raising serious questions