Re: Heroku early upgrade is raising serious questions

> It's been answered multiple times: -core (or some other committee which
> they create, should they feel a need to) is responsible for reviewing
> and approving such requests.

Actually, at this point the question is *whether or not* to have a early
notification list at all.

Right now, the only people who get early information on not-yet-released
security updates are people who are directly involved in either (a)
patching the updates, or (b) packaging the updates, by policy.  The
definition of "packager" was extended to DBAAS vendors for the last
security release, but not necessarily on a permanent basis.

The security team and the packagers have to receive early information in
order for us to get a security update out the door.  Nobody else does.

There are a lot of pros and cons to having an early notification list at
all.  The pros are obvious to the prospective members of such a list,
but the cons are:

a) as the list grows, the probability of a leak approaches 100%

b) resentment by whomever doesn't make the cut to be on the list

c) effort to maintain the list.

That's the first question to answer.  Discussing who's on such a list
comes after deciding if we should have one at all.  Other open source
projects are split on the issue.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com