Re: Heroku early upgrade is raising serious questions

On Tue, Apr 2, 2013 at 4:42 PM, Stephen Frost <sfrost@snowman.net> wrote:

Having some kind of documentation / policy regarding who can get access,
or what they have to do to get access, would certainly help address
these concerns.

This is a key point.

Also, for those concerned about blowback, I've read through most of the commentary. If you read beyond the knee-jerk reactions, there's a lot of comments like this:

https://news.ycombinator.com/item?id=5477679

https://news.ycombinator.com/item?id=5476294
https://news.ycombinator.com/item?id=5476294
https://news.ycombinator.com/item?id=5458437

https://news.ycombinator.com/item?id=5457288

The slashdot article was full of similar sentiments.

The TechCrunch article had just two comments - leading me to conclude that most people view the angle the reporter took as sensational, and not worthy of arguing over. 

So, while it's reasonable to be concerned and want to make this process more transparent and well-documented, I think that overall, the impression our users have is generally *positive*, and they'd like to know what the vulnerability actually is before passing judgment on the process that was used to release the fix.

I agree that we should have a well-documented security release process. There are existing processes documented that we might use as a starting point, and I personally think largely match what we currently do, like: https://docs.djangoproject.com/en/1.5/internals/security/