Re: Heroku early upgrade is raising serious questions

Michael,

* Michael Meskes (meskes(at)postgresql(dot)org) wrote:
> But this does not only apply to the Heroku's of this world. What about the not
> so hypothecial example I brought earlier? There are actually a lot of companies
> out there that deploy Postgres on a large scale but are not DBaaS providers.
> There are also alot of companies that somehow bundle Postgres with their
> product and deliver it to *a lot* of customers. Their upgrade problem is even
> worse. Do we add them all?

Who gets added and who doesn't would be the committee's responsibility.
Risk and exposure would weigh into that decision. DBaaS providers had a
much higher from this most recent bug than even very large scale
internal deployments. When asking "do we add them all?", the answer
will have to be 'no' or there would end up being little point.

> Besides some of these might get their packages from
> service providers. Ok, in theory we could add those. But how about those who
> use packages from one of the distros? With the same argument we would have to
> go for a two step embargo.

I don't entirely follow this. Upthread I had suggested a multi-phase
approach which sounds like what you mean by 'two step embargo'. I
continue to feel that makes sense, to give everyone the best chance at
upgrading prior to exploits being generally available.

Thanks,

Stephen