Re: Heroku early upgrade is raising serious questions

On Wed, Apr 03, 2013 at 01:26:22PM +0200, Magnus Hagander wrote:
> > Why? I can see a reason why we don't talk about the bug or the fix in the open.
> > Sure that makes sense because we have to have the fixed version out first. But
> > why does the same hold for communication about deployment embargo?
>
> Because talking about it in public in a way to make it make sense,
> would leak information about what and where the bug is, and thus give
> people who are looking to exploit it a much easier job in finding it
> before people have had a chance to apply the patches.

I wasn't talking about the discussion about the bug etc., I was just talking
about the discussion about the permission to deploy. But if these were so
tightly intervened I will gladly wait.

> If you are willing to wait a few days until such details can be made
> public, there is no reason why we can't talk about it in the open -
> and we should. But for now, the risk of actually putting all users at
> risk because someone uses that information to figure out where exactly
> the bug is before the patches are applied is pretty big.

Sure, thanks.

Michael
--
Michael Meskes
Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org)
Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org
Jabber: michael.meskes at gmail dot com
VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL