Re: Heroku early upgrade is raising serious questions

Damien,

> The Heroku announcement caused many confusions. The worst confusion is
> that it sounds like Heroku gets a special treament and is allowed to
> upgrade 3 days before full disclosure, while the rest of us have to wait
> the official release date.

So Heroku had permission from the core team to start their update early,
partly because of required deployment times, and partly because they
could supply testing and feedback on the patch, as they have with other
patches they've backported from future versions of PostgreSQL.  We were
also conscious of the fact that, as far as we knew, Heroku represented
the single largest organizational vulnerability to this particular
issue, and that due to their "port-only access" the possibility of
accidental disclosure was minimal.

We didn't anticipate that the early notification we did combined with
the Heroku outage notification would make it obvious that an early
deployment was happening.  We don't generally do early warnings, and
this whole "cloud" thing is still new to us organizationally.  ALso, we
went from discovery to release in 3 weeks, so there wasn't a lot of
discussion time around policy and procedure.

Clearly we can't do it that way again.

-core is currently hashing out thoughts on what might be a reasonable
early notification process for high-risk users, and if it's feasible for
us to have one.  As well as other aspects of our security release procedure.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com