Re: Heroku early upgrade is raising serious questions

Hi!

From a security standpoint, the decisions made should weigh:

* Risk to the general public

* Risk to the *known* users of PostgreSQL

* Risk to our core committers, developers and volunteers

* Risk to the survival of the open source project

and:

* Do we have a good patch for the problem?

* Are there possible workarounds without patching?

What is "fair" in that context is not the same thing as "treating everyone equally".  Personally, I do not agree that "equality is what we want" in the context of managing security vulnerability disclosure.

We are open source, so eventually everyone will have access to patches to security vulnerabilities. However, it's important to use well-understood risk mitigation techniques in deciding how to share information about vulnerabilities.

Despite how the disclosure and communication made contributors to this thread *feel*, the consensus from security experts that I talked to was: PGDG handled this security issue well. We also drew enough attention that it *appears* that many of our users upgraded or took mitigation action - with minimal compromise exposure after we fully disclosed the bug. And now, -core is working to change our security policy to better address the concerns of PaaS and security-sensitive users.

To be clear:
I want users and their data to be as safe as we can keep them.  And I want security disclosures to be transparent, well-communicated and fairly carried out, using a policy that -core produces.

-selena

--
http://chesnok.com