Re: Heroku early upgrade is raising serious questions

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Michael Meskes <meskes(at)postgresql(dot)org>
Cc: Andres Freund <andres(at)2ndquadrant(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Dave Page <dpage(at)pgadmin(dot)org>, Josh Berkus <josh(at)agliodbs(dot)com>, Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, damien clochard <damien(at)dalibo(dot)info>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org>
Subject: Re: Heroku early upgrade is raising serious questions
Date: 2013-04-11 12:48:03
Message-ID: 20130411124803.GD4361@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-advocacy

Michael,

* Michael Meskes (meskes(at)postgresql(dot)org) wrote:
> But this does not only apply to the Heroku's of this world. What about the not
> so hypothecial example I brought earlier? There are actually a lot of companies
> out there that deploy Postgres on a large scale but are not DBaaS providers.
> There are also alot of companies that somehow bundle Postgres with their
> product and deliver it to *a lot* of customers. Their upgrade problem is even
> worse. Do we add them all?

Who gets added and who doesn't would be the committee's responsibility.
Risk and exposure would weigh into that decision. DBaaS providers had a
much higher from this most recent bug than even very large scale
internal deployments. When asking "do we add them all?", the answer
will have to be 'no' or there would end up being little point.

> Besides some of these might get their packages from
> service providers. Ok, in theory we could add those. But how about those who
> use packages from one of the distros? With the same argument we would have to
> go for a two step embargo.

I don't entirely follow this. Upthread I had suggested a multi-phase
approach which sounds like what you mean by 'two step embargo'. I
continue to feel that makes sense, to give everyone the best chance at
upgrading prior to exploits being generally available.

Thanks,

Stephen

In response to

Responses

Browse pgsql-advocacy by date

  From Date Subject
Next Message Robert Bernier 2013-04-11 14:51:01 Dissecting PostgreSQL CVE-2013-1899 (blackwinghq.com)
Previous Message Michael Meskes 2013-04-10 16:18:39 Re: Heroku early upgrade is raising serious questions