Re: Heroku early upgrade is raising serious questions
| От | Andres Freund |
|---|---|
| Тема | Re: Heroku early upgrade is raising serious questions |
| Дата | |
| Msg-id | 20130409175024.GA9959@awork2.anarazel.de обсуждение исходный текст |
| Ответ на | Re: Heroku early upgrade is raising serious questions ("Jonathan S. Katz" <jonathan.katz@excoventures.com>) |
| Список | pgsql-advocacy |
On 2013-04-09 13:46:43 -0400, Jonathan S. Katz wrote: > On Apr 9, 2013, at 1:41 PM, Andres Freund wrote: > > > On 2013-04-09 13:14:18 -0400, Stephen Frost wrote: > >> * Andres Freund (andres@2ndquadrant.com) wrote: > >>> On 2013-04-09 12:29:37 -0400, Stephen Frost wrote: > >>>> Then perhaps I'm missing something, but what's the point in getting the > >>>> update if you can't actually apply it until everyone (including the bad > >>>> guys) know about it? Particularly when applying it is going to take a > >>>> whole lot more time than it takes for the bad guys to probe your systems > >>>> and figure out which aren't patched yet... > >>> > >>> Patching, packaging and verifying that the package works takes time, > >>> especially if you run a modified version of postgres. > >> > >> I agree with that. For individuals who are primairly responsible for > >> providing packages getting access early to do those tasks is great. > >> > >> That does not address the large-scale deployments where upgrades also > >> take a very signifigant amount of time. If we are to provide them with > >> the information ahead of the release, as they are trusted, I do not > >> believe it makes any sense to prevent them from upgrading their systems > >> until the information is out in the open. > > > > Installing the packages somewhere where far more people have a chance to > > gain access to reduces the likelihood that somebody figures out where > > the vulnerability is noticeably. Figuring out which parts of a binary > > have changed is easy enough, even if its stripped. > > > > Also, it changes how privileged the people that get access to the > > vulnerability are. If they are allowed to install at the same time as > > everyone else its somewhat fair game, otherwise there will be people > > making a marketing distinction out of their privileged access. > > Well, part of the policy of getting early access should be "do not publicize that you have early access" - that would eliminateany publicity / marketing advantages an entity could take. Things like the heroku downtime notice make that pretty clear though. They hardly could not announce that they have a downtime though, so I am not blaming them for that, but its still obvious. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
В списке pgsql-advocacy по дате отправления: