I think we have a problem here :
https://status.heroku.com/incidents/510
Disclaimer : I don't know what thursday security fix is about and I
don't have much information on the "Heroku Postgres Official
Maintenance". So for now, I won't discuss wether or not Heroku should do
that upgrade earlier than everyone. This is why why I'm sending this on
pgsql-advocacy instead of pgsql-hackers
What I know is that Heroku's announcement is raising many questions all
over the place:
http://techcrunch.com/2013/04/01/heroku-forces-customer-upgrade-to-fix-critical-postgresql-security-hole/
https://news.ycombinator.com/item?id=5475619
Among these questions, the 3 below are recurring :
Which companies have access to the patch before the official release ?
What does a company have to do to have access to this patch ?
Who decides to allow this "early access" ?
Now my guess is that Heroku is treated here as a distributer such as Red
Hat, the Debian packagers, etc. Once again I am not discussing wether or
not they should have access to the code earlier.
What I am discussing is that most people consider that Heroku is a
"database as a service" company, not a distributor of software. And the
overall feeling among DBA can be described as :
"Why is Heroku so special ? Why do I have to wait 4 days while they are
allowed to upgrade before the security breach is fully disclosed ?"
In other words, we are sending a terrible message to our users. I
understand that this bug cannot be discussed in public but the Heroku
upgrade is public and therefore the PostgreSQL community needs to come
up with an explanation to make things clear and avoid misunderstandings
and frustration.
