Re: Heroku early upgrade is raising serious questions

Hi All,

First, thanks for your comments. This discussion is very interesting.

Le mardi 16 avril 2013 à 09:21 +0200, Dimitri Fontaine a écrit :
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > People will not be happy if we add people to packagers and someone leaks
> > information to hackers before the official release.
>
> Indeed. That's the way it works today, though.

Yes, true. I see no solution to this problem. Thats why I suggested our
community doesn't deal with it, since every solution we may find will be
surely incomplete if not wrong.

I really doubt we find some kind of solution like "one fits all".

One can play with words (or pictures :-P), but is it really to us, as a
community, to fix one's particular problems?

>> Again, the damage is done if someone leaks information, and being
> > removed from packagers doesn't fix the security problem for everyone
> > else. We just can't have an iterative process here were we guess who is
> > trust-worthy and vulnerable, and then remove people when we are wrong.
>
> Agreed. It's a problem of trust, not of procedure, and that's what I
> wanted to stress in my previous email by saying that we already have the
> procedure. Thanks for underlining it.

So you both agreed on the 1st mail of this thread, at least on the
problem I tried to explain (apologies, I'm quoting myself):

The fundamental question then, is how organizations qualify to become
"trusted organizations" ?

On this point, AFAIK, there's still no answer.

> Regards,
> --
> Dimitri Fontaine
> http://2ndQuadrant.fr PostgreSQL : Expertise, Formation et Support

--
Jean-Paul Argudo
www.PostgreSQL.fr