Stephen Frost <sfrost@snowman.net> writes:
> That does not address the large-scale deployments where upgrades also
> take a very signifigant amount of time. If we are to provide them with
> the information ahead of the release, as they are trusted, I do not
> believe it makes any sense to prevent them from upgrading their systems
> until the information is out in the open.
+1
> Weighing the needs of various communities along with their risk profiles
> and trustworthiness is a very difficult thing, but once vetted and
> approved for early access, they should be encouraged to do as much as
> they can to ensure they are not vulnerable provided that they are able
> to do so without disclosing sensetive information.
+1
And no ssh access to the servers seems like it applied.
The trust problem has just been presented to me in another phrasing that
we might want to be adressing: the level of trust we have into those
people who receive the information early obviously includes they not
perusing the information to exploit users (e.g. from competitive
places).
As obvious as it sounds, we have to write it down in the docs currently
being edited, I think.
Regards,
--
Dimitri Fontaine
http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support
