Re: Heroku early upgrade is raising serious questions - Mailing list pgsql-advocacy

From Selena Deckelmann
Subject Re: Heroku early upgrade is raising serious questions
Date
Msg-id CAN1EF+z9tjf0hvqbaAf5nvQBR0Q9Hffwrp+6sPjM82VWks1qhA@mail.gmail.com
Whole thread Raw
In response to Re: Heroku early upgrade is raising serious questions  (Stephen Frost <sfrost@snowman.net>)
Responses Re: Heroku early upgrade is raising serious questions
Re: Heroku early upgrade is raising serious questions
List pgsql-advocacy

On Tue, Apr 2, 2013 at 4:42 PM, Stephen Frost <sfrost@snowman.net> wrote:

Having some kind of documentation / policy regarding who can get access,
or what they have to do to get access, would certainly help address
these concerns.

This is a key point.

Also, for those concerned about blowback, I've read through most of the commentary. If you read beyond the knee-jerk reactions, there's a lot of comments like this:

https://news.ycombinator.com/item?id=5477679

The slashdot article was full of similar sentiments.

The TechCrunch article had just two comments - leading me to conclude that most people view the angle the reporter took as sensational, and not worthy of arguing over.

So, while it's reasonable to be concerned and want to make this process more transparent and well-documented, I think that overall, the impression our users have is generally *positive*, and they'd like to know what the vulnerability actually is before passing judgment on the process that was used to release the fix.

I agree that we should have a well-documented security release process. There are existing processes documented that we might use as a starting point, and I personally think largely match what we currently do, like: https://docs.djangoproject.com/en/1.5/internals/security/

-selena

pgsql-advocacy by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Heroku early upgrade is raising serious questions
Next
From: "Jonathan S. Katz"
Date:
Subject: Re: Heroku early upgrade is raising serious questions