> What I know is that Heroku's announcement is raising many questions all
> over the place:
>
> http://techcrunch.com/2013/04/01/heroku-forces-customer-upgrade-to-fix-critical-postgresql-security-hole/
> https://news.ycombinator.com/item?id=5475619
Just to keep this in scope, those are two places, and the first sources
the second, so basically "Hacker News is complaining". I'll also point
out that many of the comments on the HN thread are supportive. Also,
contrast this Slashdot thread:
http://news.slashdot.org/story/13/03/29/1519208/security-fix-leads-to-postgresql-lock-down
... which praises us for taking reasonable security precautions as a
consensus of the comments.
> In other words, we are sending a terrible message to our users. I
> understand that this bug cannot be discussed in public but the Heroku
> upgrade is public and therefore the PostgreSQL community needs to come
> up with an explanation to make things clear and avoid misunderstandings
> and frustration.
I don't think this is as big of an issue as you seem to. I do think we
should have some messaging around this, but I don't agree that it should
happen before Thursday, when we will be doing PR around the security
update anyway.
I'm also happy that we're getting all this press, because it means
people will actually apply the darned updates.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com