Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

From Jonathan S. Katz
Subject Re: Heroku early upgrade is raising serious questions
Date
Msg-id 49749E6B-792F-4126-8BE5-D32FBFE39A21@excoventures.com
Whole thread Raw
In response to Re: Heroku early upgrade is raising serious questions  (Selena Deckelmann <selena@chesnok.com>)
Responses Re: Heroku early upgrade is raising serious questions
List pgsql-advocacy
On Apr 2, 2013, at 8:03 PM, Selena Deckelmann wrote:

On Tue, Apr 2, 2013 at 4:42 PM, Stephen Frost <sfrost@snowman.net> wrote:

Having some kind of documentation / policy regarding who can get access,
or what they have to do to get access, would certainly help address
these concerns.

This is a key point.

Also, for those concerned about blowback, I've read through most of the commentary. If you read beyond the knee-jerk reactions, there's a lot of comments like this:

https://news.ycombinator.com/item?id=5477679

The slashdot article was full of similar sentiments.

The TechCrunch article had just two comments - leading me to conclude that most people view the angle the reporter took as sensational, and not worthy of arguing over. 
So, while it's reasonable to be concerned and want to make this process more transparent and well-documented, I think that overall, the impression our users have is generally *positive*, and they'd like to know what the vulnerability actually is before passing judgment on the process that was used to release the fix.

I agree that we should have a well-documented security release process. There are existing processes documented that we might use as a starting point, and I personally think largely match what we currently do, like: https://docs.djangoproject.com/en/1.5/internals/security/

The Django security release guide is good - I think we could almost copy & paste it.  I could throw something up on our wiki where we can fill in the blanks on what we want the actually policy to be and allow people to comment + add modifications.

pgsql-advocacy by date:

Previous
From: Selena Deckelmann
Date:
Subject: Re: Heroku early upgrade is raising serious questions
Next
From: "Jonathan S. Katz"
Date:
Subject: Re: Heroku early upgrade is raising serious questions