Re: Heroku early upgrade is raising serious questions

From: Josh Berkus <josh(at)agliodbs(dot)com>
To: pgsql-advocacy(at)postgresql(dot)org
Subject: Re: Heroku early upgrade is raising serious questions
Date: 2013-04-17 16:59:14
Message-ID: 516ED4E2.1010609@agliodbs.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-advocacy


> It's been answered multiple times: -core (or some other committee which
> they create, should they feel a need to) is responsible for reviewing
> and approving such requests.

Actually, at this point the question is *whether or not* to have a early
notification list at all.

Right now, the only people who get early information on not-yet-released
security updates are people who are directly involved in either (a)
patching the updates, or (b) packaging the updates, by policy. The
definition of "packager" was extended to DBAAS vendors for the last
security release, but not necessarily on a permanent basis.

The security team and the packagers have to receive early information in
order for us to get a security update out the door. Nobody else does.

There are a lot of pros and cons to having an early notification list at
all. The pros are obvious to the prospective members of such a list,
but the cons are:

a) as the list grows, the probability of a leak approaches 100%

b) resentment by whomever doesn't make the cut to be on the list

c) effort to maintain the list.

That's the first question to answer. Discussing who's on such a list
comes after deciding if we should have one at all. Other open source
projects are split on the issue.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

In response to

Responses

Browse pgsql-advocacy by date

  From Date Subject
Next Message Thom Brown 2013-04-17 17:21:54 Re: Regex Indexing WAS: 9.3 Beta 1 Coming Soon!
Previous Message Jonathan S. Katz 2013-04-17 16:57:32 Re: 9.3 Beta 1 Coming Soon!