From: | Tatsuo Ishii <ishii(at)postgresql(dot)org> |
---|---|
To: | damien(at)dalibo(dot)info |
Cc: | jonathan(dot)katz(at)excoventures(dot)com, josh(at)agliodbs(dot)com, pgsql-advocacy(at)postgresql(dot)org |
Subject: | Re: Heroku early upgrade is raising serious questions |
Date: | 2013-04-08 22:39:01 |
Message-ID: | 20130409.073901.1365362481015585564.t-ishii@sraoss.co.jp |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-advocacy |
> I would like to add a paragraph about the release date (or "embargo
> date"). It seems important to me that all packagers agree to synchronize
> and distribute/deploy the security fix at the same date. For packager
> who distribute the source code this is obvious. But that's also true for
> DBaaS providers.
Very good point.
> The Heroku announcement caused many confusions. The worst confusion is
> that it sounds like Heroku gets a special treament and is allowed to
> upgrade 3 days before full disclosure, while the rest of us have to wait
> the official release date.
>
> So basically the message we're sending is : Heroku Postgres is safer
> than Vanilla PostgreSQL because in case of an high-exposure security
> vulnerability, Heroku will upgrade before everyone else.
It was the most expected response from users, I think.
> BTW you can replace Heroku by the DBaaS provider of your choice... I
> have nothing against Heroku and I have great respect for the
> contribution to our community.
>
> I'm taking them as an exemple, because they've been very transparent
> about all this (see
> https://blog.heroku.com/archives/2013/4/4/heroku_postgres_databases_patched)
> and that's a good thing because it helps us improving our Security
> Release Policy.
>
> Now I understand that Heroku (and other DBaaS providers) may host
> hundreds of thousand PostgreSQL servers and I understand that upgrading
> so many servers in a few hours is something very hard to acheive. But
> the responsability of building a security maintenance process like that
> is on Heroku (and other DBaaS providers). The PostgreSQL community
> should keep some neutrality and should not compensate the lack of
> upgrade machinery of a private company. Even if that means thousand of
> their customers will be exposed for a while.
Agreed.
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese: http://www.sraoss.co.jp
From | Date | Subject | |
---|---|---|---|
Next Message | Jonathan S. Katz | 2013-04-08 22:58:57 | Re: Heroku early upgrade is raising serious questions |
Previous Message | Matteo Beccati | 2013-04-08 22:11:57 | Re: elephant logo in OFM format? |