Re: Heroku early upgrade is raising serious questions

On Apr 2, 2013, at 8:03 PM, Selena Deckelmann wrote:

> On Tue, Apr 2, 2013 at 4:42 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
> Having some kind of documentation / policy regarding who can get access,
> or what they have to do to get access, would certainly help address
> these concerns.
>
> This is a key point.
>
> Also, for those concerned about blowback, I've read through most of the commentary. If you read beyond the knee-jerk reactions, there's a lot of comments like this:
>
> https://news.ycombinator.com/item?id=5477679
> https://news.ycombinator.com/item?id=5476294
> https://news.ycombinator.com/item?id=5476294
> https://news.ycombinator.com/item?id=5458437
> https://news.ycombinator.com/item?id=5457288
>
> The slashdot article was full of similar sentiments.
>
> The TechCrunch article had just two comments - leading me to conclude that most people view the angle the reporter took as sensational, and not worthy of arguing over.
> So, while it's reasonable to be concerned and want to make this process more transparent and well-documented, I think that overall, the impression our users have is generally *positive*, and they'd like to know what the vulnerability actually is before passing judgment on the process that was used to release the fix.
>
> I agree that we should have a well-documented security release process. There are existing processes documented that we might use as a starting point, and I personally think largely match what we currently do, like: https://docs.djangoproject.com/en/1.5/internals/security/

The Django security release guide is good - I think we could almost copy & paste it. I could throw something up on our wiki where we can fill in the blanks on what we want the actually policy to be and allow people to comment + add modifications.