Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

From Josh Berkus
Subject Re: Heroku early upgrade is raising serious questions
Date
Msg-id 515B5E51.4040601@agliodbs.com
Whole thread Raw
In response to Heroku early upgrade is raising serious questions  (damien clochard <damien@dalibo.info>)
Responses Re: Heroku early upgrade is raising serious questions
List pgsql-advocacy
> What I know is that Heroku's announcement is raising many questions all
> over the place:
>
> http://techcrunch.com/2013/04/01/heroku-forces-customer-upgrade-to-fix-critical-postgresql-security-hole/
> https://news.ycombinator.com/item?id=5475619

Just to keep this in scope, those are two places, and the first sources
the second, so basically "Hacker News is complaining".  I'll also point
out that many of the comments on the HN thread are supportive. Also,
contrast this Slashdot thread:

http://news.slashdot.org/story/13/03/29/1519208/security-fix-leads-to-postgresql-lock-down

... which praises us for taking reasonable security precautions as a
consensus of the comments.

> In other words, we are sending a terrible message to our users. I
> understand that this bug cannot be discussed in public but the Heroku
> upgrade is public and therefore the PostgreSQL community needs to come
> up with an explanation to make things clear and avoid misunderstandings
> and frustration.

I don't think this is as big of an issue as you seem to.  I do think we
should have some messaging around this, but I don't agree that it should
happen before Thursday, when we will be doing PR around the security
update anyway.

I'm also happy that we're getting all this press, because it means
people will actually apply the darned updates.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com


pgsql-advocacy by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Heroku early upgrade is raising serious questions
Next
From: "Joshua D. Drake"
Date:
Subject: Re: Heroku early upgrade is raising serious questions