Re: Heroku early upgrade is raising serious questions

* Andres Freund (andres@2ndquadrant.com) wrote:
> On 2013-04-09 12:29:37 -0400, Stephen Frost wrote:
> > Then perhaps I'm missing something, but what's the point in getting the
> > update if you can't actually apply it until everyone (including the bad
> > guys) know about it?  Particularly when applying it is going to take a
> > whole lot more time than it takes for the bad guys to probe your systems
> > and figure out which aren't patched yet...
>
> Patching, packaging and verifying that the package works takes time,
> especially if you run a modified version of postgres.

I agree with that.  For individuals who are primairly responsible for
providing packages getting access early to do those tasks is great.

That does not address the large-scale deployments where upgrades also
take a very signifigant amount of time.  If we are to provide them with
the information ahead of the release, as they are trusted, I do not
believe it makes any sense to prevent them from upgrading their systems
until the information is out in the open.

Weighing the needs of various communities along with their risk profiles
and trustworthiness is a very difficult thing, but once vetted and
approved for early access, they should be encouraged to do as much as
they can to ensure they are not vulnerable provided that they are able
to do so without disclosing sensetive information.

    Thanks,

        Stephen