Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

From Bruce Momjian
Subject Re: Heroku early upgrade is raising serious questions
Date
Msg-id 20130417172240.GI4602@momjian.us
Whole thread Raw
In response to Re: Heroku early upgrade is raising serious questions  (Josh Berkus <josh@agliodbs.com>)
Responses Re: Heroku early upgrade is raising serious questions
List pgsql-advocacy
On Wed, Apr 17, 2013 at 09:59:14AM -0700, Josh Berkus wrote:
>
> > It's been answered multiple times: -core (or some other committee which
> > they create, should they feel a need to) is responsible for reviewing
> > and approving such requests.
>
> Actually, at this point the question is *whether or not* to have a early
> notification list at all.
>
> Right now, the only people who get early information on not-yet-released
> security updates are people who are directly involved in either (a)
> patching the updates, or (b) packaging the updates, by policy.  The
> definition of "packager" was extended to DBAAS vendors for the last
> security release, but not necessarily on a permanent basis.
>
> The security team and the packagers have to receive early information in
> order for us to get a security update out the door.  Nobody else does.
>
> There are a lot of pros and cons to having an early notification list at
> all.  The pros are obvious to the prospective members of such a list,
> but the cons are:
>
> a) as the list grows, the probability of a leak approaches 100%
>
> b) resentment by whomever doesn't make the cut to be on the list
>
> c) effort to maintain the list.
>
> That's the first question to answer.  Discussing who's on such a list
> comes after deciding if we should have one at all.  Other open source
> projects are split on the issue.

These are all good points.  The vulnerability that got Heroku early
access was a network port vulnerability.  A different type of
vulnerability might _not_ have gotten them early access, and might have
gotten someone else early access.  This port vulnerability was of a
severity that historically we only see every five years, so it is hard
to come up with a policy that might not be exercised for another five
years.

Also, let me add that the value of Heroku testing was what swayed me to
support their early access.  We don't need dozens of users testing our
binaries pre-release, but helps to have a dedicated one who is capable
and reports their findings.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + It's impossible for everything to be true. +


pgsql-advocacy by date:

Previous
From: Thom Brown
Date:
Subject: Re: Regex Indexing WAS: 9.3 Beta 1 Coming Soon!
Next
From: Josh Berkus
Date:
Subject: Re: 9.3 Beta 1 Coming Soon!