Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

From Stephen Frost
Subject Re: Heroku early upgrade is raising serious questions
Date
Msg-id 20130411124803.GD4361@tamriel.snowman.net
Whole thread Raw
In response to Re: Heroku early upgrade is raising serious questions  (Michael Meskes <meskes@postgresql.org>)
Responses Re: Heroku early upgrade is raising serious questions
List pgsql-advocacy
Michael,

* Michael Meskes (meskes@postgresql.org) wrote:
> But this does not only apply to the Heroku's of this world. What about the not
> so hypothecial example I brought earlier? There are actually a lot of companies
> out there that deploy Postgres on a large scale but are not DBaaS providers.
> There are also alot of companies that somehow bundle Postgres with their
> product and deliver it to *a lot* of customers. Their upgrade problem is even
> worse. Do we add them all?

Who gets added and who doesn't would be the committee's responsibility.
Risk and exposure would weigh into that decision.  DBaaS providers had a
much higher from this most recent bug than even very large scale
internal deployments.  When asking "do we add them all?", the answer
will have to be 'no' or there would end up being little point.

> Besides some of these might get their packages from
> service providers. Ok, in theory we could add those. But how about those who
> use packages from  one of the distros? With the same argument we would have to
> go for a two step embargo.

I don't entirely follow this.  Upthread I had suggested a multi-phase
approach which sounds like what you mean by 'two step embargo'.  I
continue to feel that makes sense, to give everyone the best chance at
upgrading prior to exploits being generally available.

    Thanks,

        Stephen

Attachment

pgsql-advocacy by date:

Previous
From: Michael Meskes
Date:
Subject: Re: Heroku early upgrade is raising serious questions
Next
From: Robert Bernier
Date:
Subject: Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)