| From: | Andres Freund <andres(at)2ndquadrant(dot)com> |
|---|---|
| To: | "Jonathan S(dot) Katz" <jonathan(dot)katz(at)excoventures(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Michael Meskes <meskes(at)postgresql(dot)org>, Dave Page <dpage(at)pgadmin(dot)org>, Josh Berkus <josh(at)agliodbs(dot)com>, Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, damien clochard <damien(at)dalibo(dot)info>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
| Subject: | Re: Heroku early upgrade is raising serious questions |
| Date: | 2013-04-09 17:50:24 |
| Message-ID: | 20130409175024.GA9959@awork2.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy |
On 2013-04-09 13:46:43 -0400, Jonathan S. Katz wrote:
> On Apr 9, 2013, at 1:41 PM, Andres Freund wrote:
>
> > On 2013-04-09 13:14:18 -0400, Stephen Frost wrote:
> >> * Andres Freund (andres(at)2ndquadrant(dot)com) wrote:
> >>> On 2013-04-09 12:29:37 -0400, Stephen Frost wrote:
> >>>> Then perhaps I'm missing something, but what's the point in getting the
> >>>> update if you can't actually apply it until everyone (including the bad
> >>>> guys) know about it? Particularly when applying it is going to take a
> >>>> whole lot more time than it takes for the bad guys to probe your systems
> >>>> and figure out which aren't patched yet...
> >>>
> >>> Patching, packaging and verifying that the package works takes time,
> >>> especially if you run a modified version of postgres.
> >>
> >> I agree with that. For individuals who are primairly responsible for
> >> providing packages getting access early to do those tasks is great.
> >>
> >> That does not address the large-scale deployments where upgrades also
> >> take a very signifigant amount of time. If we are to provide them with
> >> the information ahead of the release, as they are trusted, I do not
> >> believe it makes any sense to prevent them from upgrading their systems
> >> until the information is out in the open.
> >
> > Installing the packages somewhere where far more people have a chance to
> > gain access to reduces the likelihood that somebody figures out where
> > the vulnerability is noticeably. Figuring out which parts of a binary
> > have changed is easy enough, even if its stripped.
> >
> > Also, it changes how privileged the people that get access to the
> > vulnerability are. If they are allowed to install at the same time as
> > everyone else its somewhat fair game, otherwise there will be people
> > making a marketing distinction out of their privileged access.
>
> Well, part of the policy of getting early access should be "do not publicize that you have early access" - that would eliminate any publicity / marketing advantages an entity could take.
Things like the heroku downtime notice make that pretty clear
though. They hardly could not announce that they have a downtime though,
so I am not blaming them for that, but its still obvious.
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2013-04-09 17:54:08 | Re: Heroku early upgrade is raising serious questions |
| Previous Message | Jonathan S. Katz | 2013-04-09 17:46:43 | Re: Heroku early upgrade is raising serious questions |