Re: Heroku early upgrade is raising serious questions

On 2013-04-09 12:29:37 -0400, Stephen Frost wrote:
> * Joshua D. Drake (jd@commandprompt.com) wrote:
> > On 04/09/2013 09:01 AM, Michael Meskes wrote:
> > >>Well no because traditional packagers all release at the same time
> > >>so that there is no disparity between when Ubuntu gets the fix and
> > >>Solaris gets the fix.
> > >
> > >So what do I misunderstand? As far as I read it, Damien said all should get the
> > >fix at the same time, right? Which is what you say and also what Dave said,
> > >isn't it? I think the question we're dancing around here is, should anyone be
> > >allowed to deploy before the embargo is over? I don't mind DBaaS providers
> > >getting the fix early, but I mind seeing it deployed early.
> >
> > Maybe I wasn't clear, sorry. No. I do not believe that ANY entity
> > should be able to deploy before the embargo is over.
>
> Then perhaps I'm missing something, but what's the point in getting the
> update if you can't actually apply it until everyone (including the bad
> guys) know about it?  Particularly when applying it is going to take a
> whole lot more time than it takes for the bad guys to probe your systems
> and figure out which aren't patched yet...

Patching, packaging and verifying that the package works takes time,
especially if you run a modified version of postgres.

Greetings,

Andres Freund

--
 Andres Freund                       http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services