To me the only way to do is give the access to all at the same time, despite all the problems that may occurs. Yes, it's the "hard way", but it's the only one leading to the equalty we want.
PostgreSQL is written and maintained by a 6-member core team, a group of about 20 committers, and somewhere between 300-400 developers who send in code each year. Plus many other volunteers who run conferences, meetups and participate in mailing lists like this one.
From a security standpoint, the decisions made should weigh:
* Risk to the general public
* Risk to the *known* users of PostgreSQL
* Risk to our core committers, developers and volunteers
* Risk to the survival of the open source project
and:
* Do we have a good patch for the problem?
* Are there possible workarounds without patching?
What is "fair" in that context is not the same thing as "treating everyone equally". Personally, I do not agree that "equality is what we want" in the context of managing security vulnerability disclosure.
We are open source, so eventually everyone will have access to patches to security vulnerabilities. However, it's important to use well-understood risk mitigation techniques in deciding how to share information about vulnerabilities.
Despite how the disclosure and communication made contributors to this thread *feel*, the consensus from security experts that I talked to was: PGDG handled this security issue well. We also drew enough attention that it *appears* that many of our users upgraded or took mitigation action - with minimal compromise exposure after we fully disclosed the bug. And now, -core is working to change our security policy to better address the concerns of PaaS and security-sensitive users.
To be clear: I want users and their data to be as safe as we can keep them. And I want security disclosures to be transparent, well-communicated and fairly carried out, using a policy that -core produces.