On 2013-04-09 13:46:43 -0400, Jonathan S. Katz wrote:
> On Apr 9, 2013, at 1:41 PM, Andres Freund wrote:
>
> > On 2013-04-09 13:14:18 -0400, Stephen Frost wrote:
> >> * Andres Freund (andres@2ndquadrant.com) wrote:
> >>> On 2013-04-09 12:29:37 -0400, Stephen Frost wrote:
> >>>> Then perhaps I'm missing something, but what's the point in getting the
> >>>> update if you can't actually apply it until everyone (including the bad
> >>>> guys) know about it? Particularly when applying it is going to take a
> >>>> whole lot more time than it takes for the bad guys to probe your systems
> >>>> and figure out which aren't patched yet...
> >>>
> >>> Patching, packaging and verifying that the package works takes time,
> >>> especially if you run a modified version of postgres.
> >>
> >> I agree with that. For individuals who are primairly responsible for
> >> providing packages getting access early to do those tasks is great.
> >>
> >> That does not address the large-scale deployments where upgrades also
> >> take a very signifigant amount of time. If we are to provide them with
> >> the information ahead of the release, as they are trusted, I do not
> >> believe it makes any sense to prevent them from upgrading their systems
> >> until the information is out in the open.
> >
> > Installing the packages somewhere where far more people have a chance to
> > gain access to reduces the likelihood that somebody figures out where
> > the vulnerability is noticeably. Figuring out which parts of a binary
> > have changed is easy enough, even if its stripped.
> >
> > Also, it changes how privileged the people that get access to the
> > vulnerability are. If they are allowed to install at the same time as
> > everyone else its somewhat fair game, otherwise there will be people
> > making a marketing distinction out of their privileged access.
>
> Well, part of the policy of getting early access should be "do not publicize that you have early access" - that would
eliminateany publicity / marketing advantages an entity could take.
Things like the heroku downtime notice make that pretty clear
though. They hardly could not announce that they have a downtime though,
so I am not blaming them for that, but its still obvious.
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services