Re: Heroku early upgrade is raising serious questions

On 2013-04-09 13:14:18 -0400, Stephen Frost wrote:
> * Andres Freund (andres(at)2ndquadrant(dot)com) wrote:
> > On 2013-04-09 12:29:37 -0400, Stephen Frost wrote:
> > > Then perhaps I'm missing something, but what's the point in getting the
> > > update if you can't actually apply it until everyone (including the bad
> > > guys) know about it? Particularly when applying it is going to take a
> > > whole lot more time than it takes for the bad guys to probe your systems
> > > and figure out which aren't patched yet...
> >
> > Patching, packaging and verifying that the package works takes time,
> > especially if you run a modified version of postgres.
>
> I agree with that. For individuals who are primairly responsible for
> providing packages getting access early to do those tasks is great.
>
> That does not address the large-scale deployments where upgrades also
> take a very signifigant amount of time. If we are to provide them with
> the information ahead of the release, as they are trusted, I do not
> believe it makes any sense to prevent them from upgrading their systems
> until the information is out in the open.

Installing the packages somewhere where far more people have a chance to
gain access to reduces the likelihood that somebody figures out where
the vulnerability is noticeably. Figuring out which parts of a binary
have changed is easy enough, even if its stripped.

Also, it changes how privileged the people that get access to the
vulnerability are. If they are allowed to install at the same time as
everyone else its somewhat fair game, otherwise there will be people
making a marketing distinction out of their privileged access.

Greetings,

Andres Freund

--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services