> My one question regarding policy is related to distribution. I do
> agree with the evaluation criteria for choosing distributors, but my
> question pertains to entities that could be classified as "critical
> infrastructure" that use Postgres, e.g. utilities, hospitals, etc.
> Though it is still up to the management of those entities to handle
> the upgrades, I think it would be in their best interests to have a
> critical security fix available to them so they have that opportunity
> before it goes live.
>
> I also presume that these organizations receive their releases from
> distributors - so if we were to enable such organizations to also
> receive an early release, what would the policy be?
There's a whole set of questions regarding early access to security
updates which we're not yet ready to tackle, and may never be ready to
tackle. This includes:
- large commercial support vendors (e.g. SRA)
- distributors of embedded Postgres (on devices) (e.g. Apple)
- critical infrastructure users (e.g. the FAA)
- large-scale end users with high security profiles (e.g. Enova)
All of the above have legitimate, and sometimes compelling, reasons to
need to be able to apply security updates in advance of them becoming
public. Deciding who gets to be on an early notification list and who
doesn't, while keeping the list small enough to not effectively make
things public, will be very hard and potentially impossible. And
ultimately we are a non-profit, volunteer project and can't devote 100
full time staff to managing security disclosure the way Microsoft can.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com