Postgres Pro
Downloads
Home   >   mailing lists

Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

From Dave Page
Subject Re: Heroku early upgrade is raising serious questions
Date
Msg-id CA+OCxowwAS8yNnrH9hMWwQ9Q1dqV4h_-oto9mmCb5h+RhD7vZQ@mail.gmail.com
Whole thread Raw
In response to Re: Heroku early upgrade is raising serious questions  (damien clochard <damien@dalibo.info>)
Responses Re: Heroku early upgrade is raising serious questions  (damien clochard <damien@dalibo.info>)
List pgsql-advocacy
Tree view 
On Wed, Apr 3, 2013 at 3:55 AM, damien clochard <damien@dalibo.info> wrote:
>
>
> A/ I think the names of "The Packagers List" should be public. I think
> it's an important infomation when you choose a distibution system or a
> service provider. One should be able to check if a package/service
> provider is connected to the Security Team or not.

The packagers list and security team are different groups.

> B/ I feel that all "Packagers" should respect the "embargo date". They
> should not produce the packages prior to the official realease. This is
> what RPM and DEB packagers do and it's a good thing. Once again the
> problem is not that Heroku had early access to the security fix. The
> problem is that they "released" it 3 days before others packagers. I
> don't know if they did that on purpose but the message they are sending
> is "Heroku Postgres is more secure than vanilla PostgreSQL, because you
> get upgrades before full disclosure"

How would that work? The reason we have a number of days between the
tarballs being rolled and the embargo date is that it takes time to
build and properly QA the packages. In the case of the installers,
each branch gets tested on 30 - 40 different platforms in total. It is
simply not possible to "not produce the packages prior to the official
realease".

> C/ The Packagers list could be extended to companies providing
> PostgreSQL support. If the term "Packagers" include not only
> organizations that distribute the code but also organizations that
> provide PostgreSQL as a services, then PostgreSQL Support services
> should be included too.

No, most definitely not. The packagers list is a working/coordination
list, not one for discussion. We need to keep that list tightly
purposed and focussed on those actually creating packages for public
distribution and arguably in the future, deployment on public DBaaS
platforms (the key word in both cases, being "public").

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgsql-advocacy by date:

Previous
From: damien clochard
Date:
Subject: Re: Heroku early upgrade is raising serious questions
Next
From: Magnus Hagander
Date:
Subject: Re: Heroku early upgrade is raising serious questions