| From: | damien clochard <damien(at)dalibo(dot)info> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | "Jonathan S(dot) Katz" <jonathan(dot)katz(at)excoventures(dot)com>, Selena Deckelmann <selena(at)chesnok(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org> |
| Subject: | Re: Heroku early upgrade is raising serious questions |
| Date: | 2013-04-03 08:28:54 |
| Message-ID: | 515BE846.6060504@dalibo.info |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy |
>>
>> Here's a few comments :
>>
>> A/ I think the names of "The Packagers List" should be public. I think
>> it's an important infomation when you choose a distibution system or a
>> service provider. One should be able to check if a package/service
>> provider is connected to the Security Team or not.
>
> Listing which packages, at least, seems reasonable. Doesn't have to be
> the people, but wihch projects/packagies are included does.
>
Yes this is what I meant : Listing the names of organization/companies
inside the Packagers List.
>
>> B/ I feel that all "Packagers" should respect the "embargo date". They
>> should not produce the packages prior to the official realease. This is
>> what RPM and DEB packagers do and it's a good thing. Once again the
>> problem is not that Heroku had early access to the security fix. The
>> problem is that they "released" it 3 days before others packagers. I
>> don't know if they did that on purpose but the message they are sending
>> is "Heroku Postgres is more secure than vanilla PostgreSQL, because you
>> get upgrades before full disclosure"
>>
>> C/ The Packagers list could be extended to companies providing
>> PostgreSQL support. If the term "Packagers" include not only
>> organizations that distribute the code but also organizations that
>> provide PostgreSQL as a services, then PostgreSQL Support services
>> should be included too.
>
> In that case, you can just make it public in the first place. Any
> company can claim to do postgres support. There are thousands of them
> out there that do, at a lower level.
>
Yes just like anyone can claim to build its own distro or a "cloud
database". Actually it's even easier to claim you do DBaaS than
pretending to offer PostgreSQL support :-)
I never said the list should be extended to anyone asking. The Packagers
List needs to stay small and the Security Team is free to reject
requests that don't seem appropriate.
All I'm saying is that the difference between a DBaaS plateform and a
Production Support provider can be very thin. Some PostgreSQL companies
high level support including remote admin, monitoring, upgrades, etc. At
this level of service the difference with a cloud database is just the
location of the server.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | damien clochard | 2013-04-03 08:48:31 | Re: Heroku early upgrade is raising serious questions |
| Previous Message | Magnus Hagander | 2013-04-03 08:07:51 | Re: Heroku early upgrade is raising serious questions |