Re: Should we back-patch SSL renegotiation fixes?

On Thu, Jun 25, 2015 at 8:03 AM, Andres Freund <andres@anarazel.de> wrote:
>> I don't accept the argument that there are not ways to tell users
>> about things they might want to do.
>
> We probably could do that. But why would we want to? It's just as much
> work, and puts the onus on more people?

Because it doesn't force a behavior change down everyone's throat.

If it were just a question of back-porting fixes, even someone
invasive ones, well, maybe that's what we have to do; that's pretty
much exactly what we are planning to do for the MultiXact case, but
according to Heikki, this is broken even in master and can't really be
fixed unless and until OpenSSL gets their act together.  That's a hard
argument to argue with, and I think I'm on board with it.

But as a general point, we should be very reluctant to force behavior
changes on our users in released branches, because users don't like
that.  When there are reasonable alternatives to doing that, we should
choose them.  If we have no other reasonable choice here, so be it.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company