Re: Heroku early upgrade is raising serious questions

On Apr 9, 2013, at 1:41 PM, Andres Freund wrote:

> On 2013-04-09 13:14:18 -0400, Stephen Frost wrote:
>> * Andres Freund (andres(at)2ndquadrant(dot)com) wrote:
>>> On 2013-04-09 12:29:37 -0400, Stephen Frost wrote:
>>>> Then perhaps I'm missing something, but what's the point in getting the
>>>> update if you can't actually apply it until everyone (including the bad
>>>> guys) know about it? Particularly when applying it is going to take a
>>>> whole lot more time than it takes for the bad guys to probe your systems
>>>> and figure out which aren't patched yet...
>>>
>>> Patching, packaging and verifying that the package works takes time,
>>> especially if you run a modified version of postgres.
>>
>> I agree with that. For individuals who are primairly responsible for
>> providing packages getting access early to do those tasks is great.
>>
>> That does not address the large-scale deployments where upgrades also
>> take a very signifigant amount of time. If we are to provide them with
>> the information ahead of the release, as they are trusted, I do not
>> believe it makes any sense to prevent them from upgrading their systems
>> until the information is out in the open.
>
> Installing the packages somewhere where far more people have a chance to
> gain access to reduces the likelihood that somebody figures out where
> the vulnerability is noticeably. Figuring out which parts of a binary
> have changed is easy enough, even if its stripped.
>
> Also, it changes how privileged the people that get access to the
> vulnerability are. If they are allowed to install at the same time as
> everyone else its somewhat fair game, otherwise there will be people
> making a marketing distinction out of their privileged access.

Well, part of the policy of getting early access should be "do not publicize that you have early access" - that would eliminate any publicity / marketing advantages an entity could take.

Jonathan