| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, pgsql-advocacy(at)postgresql(dot)org |
| Subject: | Re: Heroku early upgrade is raising serious questions |
| Date: | 2013-04-18 00:04:46 |
| Message-ID: | 20130418000446.GD4361@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy |
* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> These are all good points. The vulnerability that got Heroku early
> access was a network port vulnerability. A different type of
> vulnerability might _not_ have gotten them early access, and might have
> gotten someone else early access. This port vulnerability was of a
> severity that historically we only see every five years, so it is hard
> to come up with a policy that might not be exercised for another five
> years.
I'm not a fan of building some massive table of who has what exposures
that we need to go and consult every time we have a security fix.
There's either "ok, certain people should know about this ahead of time"
and "this is small-potatoes and doesn't really need early notice", which
mainly boils down into unauthenticated vs. authenticated
vulnerabilities, imv.
I do agree, however, that each security issue needs to be considered
independently on a case-by-case basis.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2013-04-18 08:09:10 | Re: 9.3 Beta 1 Coming Soon! |
| Previous Message | Stephen Frost | 2013-04-18 00:01:51 | Re: Heroku early upgrade is raising serious questions |