Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy
| From | damien clochard |
|---|---|
| Subject | Re: Heroku early upgrade is raising serious questions |
| Date | |
| Msg-id | 515BECDF.2070600@dalibo.info Whole thread Raw |
| In response to | Re: Heroku early upgrade is raising serious questions (Dave Page <dpage@pgadmin.org>) |
| Responses |
Re: Heroku early upgrade is raising serious questions
|
| List | pgsql-advocacy |
Le 03/04/2013 10:07, Dave Page a écrit : > On Wed, Apr 3, 2013 at 3:55 AM, damien clochard <damien@dalibo.info> wrote: >> >> >> A/ I think the names of "The Packagers List" should be public. I think >> it's an important infomation when you choose a distibution system or a >> service provider. One should be able to check if a package/service >> provider is connected to the Security Team or not. > > The packagers list and security team are different groups. > Yes i'm talking of the packagers list. >> B/ I feel that all "Packagers" should respect the "embargo date". They >> should not produce the packages prior to the official realease. This is >> what RPM and DEB packagers do and it's a good thing. Once again the >> problem is not that Heroku had early access to the security fix. The >> problem is that they "released" it 3 days before others packagers. I >> don't know if they did that on purpose but the message they are sending >> is "Heroku Postgres is more secure than vanilla PostgreSQL, because you >> get upgrades before full disclosure" > > How would that work? The reason we have a number of days between the > tarballs being rolled and the embargo date is that it takes time to > build and properly QA the packages. In the case of the installers, > each branch gets tested on 30 - 40 different platforms in total. It is > simply not possible to "not produce the packages prior to the official > realease". > Ok maybe I was not clear enough here. With the word "produce" I meant "making available to public". I'm awara the packagers need time to build and test their packages. What I am saying is that the packagers should not release publicly the packages before the official release date. I feel that if Red Hat had released the new RPM on monday, many people here would have been unpleased. So why can Heroku do it ? >> C/ The Packagers list could be extended to companies providing >> PostgreSQL support. If the term "Packagers" include not only >> organizations that distribute the code but also organizations that >> provide PostgreSQL as a services, then PostgreSQL Support services >> should be included too. > > No, most definitely not. The packagers list is a working/coordination > list, not one for discussion. We need to keep that list tightly > purposed and focussed on those actually creating packages for public > distribution and arguably in the future, deployment on public DBaaS > platforms (the key word in both cases, being "public"). > Meh. What do you mean by "public" ? To me something that is "available to everyone" or "open to general view". If you include paying services sucha as Red Hat and Heroku in this "public" definition, than I guess PostgreSQL support company is "public" too ? Where's the difference ? Once again I'm not arguing that the packagers list should be extended to anyone asking. But if we include "PostgreSQL as a service" in this list than we need to come up with a precise definition of what "PostgreSQL service" means...
pgsql-advocacy by date: