Re: Heroku early upgrade is raising serious questions

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> On 04/09/2013 09:01 AM, Michael Meskes wrote:
> >>Well no because traditional packagers all release at the same time
> >>so that there is no disparity between when Ubuntu gets the fix and
> >>Solaris gets the fix.
> >
> >So what do I misunderstand? As far as I read it, Damien said all should get the
> >fix at the same time, right? Which is what you say and also what Dave said,
> >isn't it? I think the question we're dancing around here is, should anyone be
> >allowed to deploy before the embargo is over? I don't mind DBaaS providers
> >getting the fix early, but I mind seeing it deployed early.
>
> Maybe I wasn't clear, sorry. No. I do not believe that ANY entity
> should be able to deploy before the embargo is over.

Then perhaps I'm missing something, but what's the point in getting the
update if you can't actually apply it until everyone (including the bad
guys) know about it? Particularly when applying it is going to take a
whole lot more time than it takes for the bad guys to probe your systems
and figure out which aren't patched yet...

Thanks,

Stephen